DKIM: disallow default acceptance of sha1 for verify

author: Jeremy Harris <jgh146exb@wizmail.org> 2019-10-23 13:27:06 +0100
committer: Jeremy Harris <jgh146exb@wizmail.org> 2019-10-23 13:27:06 +0100
commit: 6ce1ece9cb2b13fdc4d235146fa98835811570bd (patch)
tree: 5dfd58826ff4b25fd92ab337ed3cb6c4aef5e72d /doc/doc-docbook
parent: 0075b53360a9b1452bd5d11b9c0a6c254c42a465 (diff)
1 files changed, 9 insertions, 4 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index bb19e3915..c8b999c9f 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -15113,15 +15113,20 @@ to handle IPv6 literal addresses.
 
 
 .new
-.option dkim_verify_hashes main "string list" "sha256 : sha512 : sha1"
+.option dkim_verify_hashes main "string list" "sha256 : sha512"
 .cindex DKIM "selecting signature algorithms"
 This option gives a list of hash types which are acceptable in signatures,
 and an order of processing.
 Signatures with algorithms not in the list will be ignored.
 
-Note that the presence of sha1 violates RFC 8301.
-Signatures using the rsa-sha1 are however (as of writing) still common.
-The default inclusion of sha1 may be dropped in a future release.
+Acceptable values include:
+.code
+sha1
+sha256
+sha512
+.endd
+
+Note that the acceptance of sha1 violates RFC 8301.
 
 .option dkim_verify_keytypes main "string list" "ed25519 : rsa"
 This option gives a list of key types which are acceptable in signatures,
author	Jeremy Harris <jgh146exb@wizmail.org>	2019-10-23 13:27:06 +0100
committer	Jeremy Harris <jgh146exb@wizmail.org>	2019-10-23 13:27:06 +0100
commit	6ce1ece9cb2b13fdc4d235146fa98835811570bd (patch)
tree	5dfd58826ff4b25fd92ab337ed3cb6c4aef5e72d /doc/doc-docbook
parent	0075b53360a9b1452bd5d11b9c0a6c254c42a465 (diff)