Re: [Dcrup] Is there anything this WG wants to do not yet in draft-ietf-dcrup-dkim-crypto-01 ?

"John R. Levine" <johnl@iecc.com> Tue, 20 June 2017 19:44 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEC8F131622 for <dcrup@ietfa.amsl.com>; Tue, 20 Jun 2017 12:44:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.792
X-Spam-Level:
X-Spam-Status: No, score=-1.792 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=iecc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LHrNy4VS2OVj for <dcrup@ietfa.amsl.com>; Tue, 20 Jun 2017 12:44:26 -0700 (PDT)
Received: from miucha.iecc.com (www.iecc.com [IPv6:2001:470:1f07:1126::4945:4343]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 411A3131618 for <dcrup@ietf.org>; Tue, 20 Jun 2017 12:44:26 -0700 (PDT)
Received: (qmail 52662 invoked from network); 20 Jun 2017 19:44:25 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=cdb4.59497b19.k1705; bh=+yDrrs9SjlwikF+vAktZngWV8i3tTo/6Eto30lMyvhk=; b=Xwz+H/35cpd0wrzw42dQHHlSvdSo1OaEtZY9CutEKonITW3T2vP9Tnj05LN7MX4wC8W172tfYUor10q8wPQ6s/jt77lwiqO6EUQc3K62i9QB9mwHgyCfFaNai/GpLIgtg3rBALSmxduBsXu/jdXTeiESNCWMxx1ugxftAaTRi1goqssS4orZPzyY87jEIeJVTIXV6WMakvfNbvwtbGcCaUQOy7MVqE1Di1fUPyFV6VCk01SCljicUSYZSyPtJiiY
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 20 Jun 2017 19:44:25 -0000
Date: Tue, 20 Jun 2017 15:44:24 -0400
Message-ID: <alpine.OSX.2.21.1706201540280.36769@ary.qy>
From: "John R. Levine" <johnl@iecc.com>
To: Scott Kitterman <sklist@kitterman.com>
Cc: dcrup@ietf.org
In-Reply-To: <10345013.0xW9ERPpmE@kitterma-e6430>
References: <20170619205309.10839.qmail@ary.lan> <10345013.0xW9ERPpmE@kitterma-e6430>
User-Agent: Alpine 2.21 (OSX 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/-h5nTY65gmCLFza8gU2qmOnzirc>
Subject: Re: [Dcrup] Is there anything this WG wants to do not yet in draft-ietf-dcrup-dkim-crypto-01 ?
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jun 2017 19:44:28 -0000

> As another non-crypto expert, it's not clear to me what the DNS record for the
> new algorithm are supposed to look like?  If it's reasonably clear from what's
> in the exisitng RFCs, perhaps an example?

I think the new -02 is clearer.  The format of the key records hasn't 
changed at all other than to add the new algorithms as key tags.

For EdDSA, the p= is the base64 version of the key, just like RSA.

For the fingerprint versions, the p= is the base64 version of the sha-256 
hash of the key.  New text says that you get the key out of the signature 
header, hash it, check that the hash matches the one in the DNS, and then 
use the key as usual.

Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly