Re: [dane] (draft-ietf-dane-smime) SHA-224 not in CryptoAPI

Paul Wouters <paul@cypherpunks.ca> Wed, 07 January 2015 18:46 UTC

Return-Path: <paul@cypherpunks.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FD971A014C for <dane@ietfa.amsl.com>; Wed, 7 Jan 2015 10:46:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.778
X-Spam-Level:
X-Spam-Status: No, score=-0.778 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URI_HEX=1.122] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yrKIUPT8NTNB for <dane@ietfa.amsl.com>; Wed, 7 Jan 2015 10:45:59 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C6151A0242 for <dane@ietf.org>; Wed, 7 Jan 2015 10:45:56 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3kHffR0dQdz31J for <dane@ietf.org>; Wed, 7 Jan 2015 19:45:51 +0100 (CET)
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id AdDN8X3pY3YK for <dane@ietf.org>; Wed, 7 Jan 2015 19:45:49 +0100 (CET)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) by mx.nohats.ca (Postfix) with ESMTPS for <dane@ietf.org>; Wed, 7 Jan 2015 19:45:48 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 8B66B809FE for <dane@ietf.org>; Wed, 7 Jan 2015 13:45:47 -0500 (EST)
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id t07Ijk89031173 for <dane@ietf.org>; Wed, 7 Jan 2015 13:45:47 -0500
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Wed, 7 Jan 2015 13:45:46 -0500 (EST)
From: Paul Wouters <paul@cypherpunks.ca>
X-X-Sender: paul@bofh.nohats.ca
To: dane WG list <dane@ietf.org>
In-Reply-To: <20150107054216.GV7322@mournblade.imrryr.org>
Message-ID: <alpine.LFD.2.10.1501071327300.15288@bofh.nohats.ca>
References: <54ACC218.8070507@seantek.com> <20150107054216.GV7322@mournblade.imrryr.org>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/0p8FQJDDfDszSQd97eJOHmsJ4_8
Subject: Re: [dane] (draft-ietf-dane-smime) SHA-224 not in CryptoAPI
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jan 2015 18:46:01 -0000

On Wed, 7 Jan 2015, Viktor Dukhovni wrote:

> On Tue, Jan 06, 2015 at 09:20:24PM -0800, Sean Leonard wrote:
>
>> I would like to point out that SHA-224 is not a good choice for a fixed hash
>> algorithm. SHA-224 is not implemented in Microsoft CryptoAPI / Cryptography
>> Next Generation, which means that Windows apps (clients and servers) will
>> have a more difficult time implementing this thing. Reference:
>> <http://msdn.microsoft.com/library/bb931357>. I suggest sticking with
>> SHA-256.

Wish we had known that sooner :(

> A base32 encoding of SHA2-224 requires 45 octets, while SHA2-256
> requires 52 octets.  Every little bit of space saved helps, DNS
> names have a limited length.  One could of course truncate SHA2-256,
> if availability of SHA2-224 is a major problem.  IIRC SHA2-224 is
> essentially that, but is "salted" a bit differently to distinguish
> it from truncated SHA2-256 output.

I have no problem with this for OPENPGPKEY.

> The larger question is whether putting per-user keys in DNS is the
> right approach, or whether DNS should instead provide key material
> to authenticate a dedicated lookup service

Actually, this has nothing to do with the problem of the hash of the
username which is needed to _find_ the DNS record. You are talking about
adding another level of indirection for the return _data_ and you'll be
adding another choke/failure/filter point people can attack to prevent
you from publishing your key

Plus, a mechanism already exists to solve what you (not I) deem to be a
problem:

danm._pka.prime.gushi.org.  TXT         "v=pka1;fpr=C2063054549295F3349037FFFBBE5A30624BB249;uri=http://prime.gushi.org/danm.pubkey.txt"

Perhaps someone wants to run a fetch on the RIPE ATLAS network for:

ab16de0656382d91838914109ab89a0a4e04321550a1a20ace7a8b66._openpgpkey.nohats.ca

and see how many sites cannot get the data back?

>  Using something other than DNS would allow the
> lookup service to handle key canonicalization (case folding, handling
> of address extensions, ...), which are otherwise difficult.

We've been waiting for 20 years. Pervasive monitoring etc...

ExecSum: If we use a truncated sha2_256 in smime, we should use it in openpgpkey
too. We should try to keep these two in sync. Not storing key data in
DNS is off-topic.

Paul