Re: [dane] Digest Algorithm Agility discussion

Viktor Dukhovni <viktor1dane@dukhovni.org> Mon, 17 March 2014 19:00 UTC

Date: Mon, 17 Mar 2014 19:00:28 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140317190028.GG24183@mournblade.imrryr.org>
References: <20140315051704.GY21390@mournblade.imrryr.org> <alpine.LFD.2.10.1403171115580.32251@bofh.nohats.ca> <20140317155049.GB24183@mournblade.imrryr.org> <B4473EDA-DAB4-4CC2-ACCD-B4F8939E5A2C@vpnc.org> <20140317174423.GE24183@mournblade.imrryr.org> <040FB71F-BD97-44A2-A600-B6E69FBD1EE5@vpnc.org> <20140317182219.GF24183@mournblade.imrryr.org> <alpine.LFD.2.10.1403171440540.32251@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LFD.2.10.1403171440540.32251@bofh.nohats.ca>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/LUfvnQjr6oA9yXSjhbhaDJiofVg
Subject: Re: [dane] Digest Algorithm Agility discussion
Precedence: list
Reply-To: dane@ietf.org

On Mon, Mar 17, 2014 at 02:46:41PM -0400, Paul Wouters wrote:

> >My proposal modifies the pseudo-code
> >to loop over only those records (for each usage/selector) with the
> >strongest digest plus any records with matching type 0.
> 
> So I agree with you that is the right approach. I am not sure if I
> agree that we should try and write that into an RFC other than
> "according to local policy".
> 
> but the text should clearly not be like 6698, that would technically
> violate the RFC if your method of local policy is implemented.

The motivation to publish the proposed digest algorithm agility
algorithm is to encourage (coerce) server operators to make sure
that they always use "cross product" TLSA RRsets:

    for each usage
	for each selector(for that usage)
	    for each supported digest
		for each object (of given usage and selector)
		    publish usage selector mtype(digest) {digest(object)}

since the set of digests is the same for every object, it is safe
to ignore any subset of the non-zero mtypes.

Now this is in some sense already implied by 6698 since the server
operator does not know which digests might be excluded by a 6698
4.1 local policy.  The goal is to both highlight this requirement,
and to encourage (require) clients to implement agility rather than
leave it to implementor's imagination.

In Postfix, users get to configure which digests are acceptable
and their priority.  The default is to support both SHA2-256 and
SHA2-512 and to prefer the latter.

-- 
	Viktor.

[dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Paul Wouters
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Paul Hoffman
Re: [dane] Digest Algorithm Agility discussion Paul Wouters
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Paul Hoffman
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Paul Wouters
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Paul Hoffman
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Martin Rex
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Mark Andrews
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion (c… Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Jim Schaad
Re: [dane] Digest Algorithm Agility discussion (c… Paul Hoffman
Re: [dane] Digest Algorithm Agility discussion (c… Andrew Sullivan
Re: [dane] Digest Algorithm Agility discussion (c… Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion (c… Scott Rose
Re: [dane] Digest Algorithm Agility discussion (c… Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion (c… Scott Rose
Re: [dane] Digest Algorithm Agility discussion Wes Hardaker
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Peter Palfrader
Re: [dane] Digest Algorithm Agility discussion Mark Andrews
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Mark Andrews
Re: [dane] Digest Algorithm Agility discussion Peter Palfrader
Re: [dane] Digest Algorithm Agility discussion Mark Andrews
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Peter Palfrader
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Mark Andrews
Re: [dane] Digest Algorithm Agility discussion Mark Andrews
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Paul Wouters
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Peter Palfrader
Re: [dane] Digest Algorithm Agility discussion Wes Hardaker
Re: [dane] Digest Algorithm Agility discussion Wes Hardaker