Re: [Dcrup] draft-ietf-dcrup-dkim-usage and document shepherds

Scott Kitterman <sklist@kitterman.com> Sat, 10 June 2017 03:39 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB319128B37 for <dcrup@ietfa.amsl.com>; Fri, 9 Jun 2017 20:39:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kitterman.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EwmcK3CKziFT for <dcrup@ietfa.amsl.com>; Fri, 9 Jun 2017 20:39:09 -0700 (PDT)
Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [IPv6:2607:f0d0:3001:aa::2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B68D12708C for <dcrup@ietf.org>; Fri, 9 Jun 2017 20:39:08 -0700 (PDT)
Received: from [10.240.183.25] (mobile-166-171-59-202.mycingular.net [166.171.59.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id BFDB4C402C5; Fri, 9 Jun 2017 22:39:07 -0500 (CDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=201409; t=1497065947; bh=i/ujr+4MziwwFmivkArDLupRJHVmY9pJVu9+iwN9uqc=; h=Date:In-Reply-To:References:Subject:To:From:From; b=njFJxOked8wKFyPd3zu9+31IBciTVlDFx4zGAXH4HF6nY7WZLmUOLlc8mdSeBqmtf BEuiSkWxPzvt1XCmknBYg7cIXzHhJ8swrFXKMnBWlYPp9mxqt2uMaUOWLqfDZb3eyj X+adF2w4EnpF/J0CcQXqzBtJb8ubLee9qu2D3Mpk=
Date: Sat, 10 Jun 2017 03:39:05 +0000
In-Reply-To: <20170610030400.12835.qmail@ary.lan>
References: <20170610030400.12835.qmail@ary.lan>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
To: dcrup@ietf.org
From: Scott Kitterman <sklist@kitterman.com>
Message-ID: <DE201939-EA16-4957-B160-2B45B3BA60C1@kitterman.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/0Ftf4CoecWRzrNBmeCyas4Sp6wo>
Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-usage and document shepherds
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Jun 2017 03:39:11 -0000


On June 9, 2017 11:04:00 PM EDT, John Levine <johnl@taugh.com> wrote:
>In article <CBFF8363-08F6-419E-AB24-D26137627C76@kitterman.com> you
>write:
>>>Given that we are nowhere close to deciding what elliptic
>algorithm(s)
>>>to add, it seems kind of premature to me.
>>
>>Why would that matter?  This draft just gets rid of the obsolete
>cruft.  It clears the deck for adding a new
>>algorithm, but in no way requires we have that sorted out.
>
>I had the perhaps overoptimistic hope that we could wrap up the new
>algorithm reasonably quickly and update DKIM once rather than twice.
>
>There is a significant cost to each RFC, both in what it costs to
>produce it, and to people's attention in the future.  The more places
>you spread around the spec, the more likely it is that people will
>miss part of it.
>
>If it's going to take us another year to decide which elliptic curve
>to use and whether to add key hashes, then OK, we can push this out
>now, but I hope we can do better than that.

I think it will take awhile.  This particular discussion is the one I thought we'd already had when the group agreed to split this out into a separate draft.

This particular draft is already roughly five years late.

If we don't get something that rips out the obsolete crypto soon, then ARC is either going to have to wait or have a separate crypto specification from DKIM.  I don't see a new protocol with rsa-sha1 512 bits getting approved.  Neither of those options is good.

Scott K