Re: [Dcrup] combo update draft-ietf-dcrup-dkim-crypto-01

Martin Thomson <martin.thomson@gmail.com> Mon, 12 June 2017 12:39 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D7DB12EAA7 for <dcrup@ietfa.amsl.com>; Mon, 12 Jun 2017 05:39:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M-PT-G8i5nXS for <dcrup@ietfa.amsl.com>; Mon, 12 Jun 2017 05:39:41 -0700 (PDT)
Received: from mail-lf0-x230.google.com (mail-lf0-x230.google.com [IPv6:2a00:1450:4010:c07::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 305D7126B6D for <dcrup@ietf.org>; Mon, 12 Jun 2017 05:39:41 -0700 (PDT)
Received: by mail-lf0-x230.google.com with SMTP id v20so50354244lfa.1 for <dcrup@ietf.org>; Mon, 12 Jun 2017 05:39:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=QrVwPgUSgkB/C1Lk9EZtkRrPUHXpnMF5/ycIcqdsgCE=; b=AIY8+LbgiGjWYYnD9m1JwkBWxd144dSSXsRu6wBxWOiqoTGcXmJs6Lhi3sAde59Csu DxqiZNzg71AJq9L0ar42x7KhM4dH5Rfh6AIc7r8ySb+9seCR0Lk2ajvZcKRHcU45R+3F /QtT7n10GLHXGExMVasP9IAwfGviIanNcPIVnlEibOFn0Y4DE3w3EoUgaot5R5+YxNjg v4gqgHHgDlqU+5hGssFU3I+Bw7CFGyP2qJ0KJSEbM2YdreYqOelmQ9kJWZqF3RQ3V01b cmo6Jne45ku8F8/5+0eY+HJiOCVYBUUSlBGa24Jzy19LCzFRSsITET+xqken9FAE7z1q 5L1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=QrVwPgUSgkB/C1Lk9EZtkRrPUHXpnMF5/ycIcqdsgCE=; b=uCHLRWnbeZFpOBsO4a+wiTJWiAfyWM0rHnZZk0a6/R0adpqsi9QwCeg1mc29M0oh51 GmuqvqurAGjDmGgSuJ3F94KbZiO/q32NSj0ogA3kr4KTN9jDb1jLGiNpJ/WlEDOEHScW H9Ihtk64utW6e4JgTb09kkovxL1vIQnXbVXuHvEh9oiPu+lSPmU+Ap7GHxA2m+5aLrNx kJNfGvDROzWe6x7RGjd1vsKViNmm5qPL7jTpMR7kFYFHNY35gEjskYcLOju/DZFhNCHC K+sEaZi9G5J3qtXcEAr4zSDvUTefq6+OryKAR3HYNWwDsghpkzFMD609m0OFCl1YoZdB Wb4w==
X-Gm-Message-State: AODbwcBU5L8+1NXl8Y775De38K4m1ODsztqhp/7pfmtdmUWTi0LGpInn TY1PyrpFeZnvuhx/Sxip2/XwfV32glVuzbQ=
X-Received: by 10.25.166.15 with SMTP id p15mr7704522lfe.43.1497271179286; Mon, 12 Jun 2017 05:39:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.46.8.66 with HTTP; Mon, 12 Jun 2017 05:39:38 -0700 (PDT)
In-Reply-To: <alpine.OSX.2.21.1706121103510.19565@ary.local>
References: <alpine.OSX.2.21.1706121103510.19565@ary.local>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 12 Jun 2017 13:39:38 +0100
Message-ID: <CABkgnnU37J6SyDJG-TtCzm9FxPqOAobSTjF3ndAHZjO2UuR1HQ@mail.gmail.com>
To: John R Levine <johnl@taugh.com>
Cc: dcrup@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/36zleDVQqrmFRZEhq7zVZpONu4c>
Subject: Re: [Dcrup] combo update draft-ietf-dcrup-dkim-crypto-01
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jun 2017 12:39:43 -0000

Quick comments:

       sig-a-tag-k = "rsa" / "rsafp" / "eddsa" / "eddsafp" x-sig-a-tag-k

This is missing a '/' for the extension piece.  Also, I would instead do:

       sig-a-tag-k /= "rsafp" / "eddsa" / "eddsafp"

I found the description to be hard to follow and I know how this
works.  You really need more information on how the fingerprint-based
schemes work here.

1. You need to explicitly state that the hash function for the
signature scheme is used to construct the fingerprint.

2. You need to explain how to validate a signature.

This description could be made generic so that (for example) PQ
schemes could use this.



On 12 June 2017 at 11:07, John R Levine <johnl@taugh.com> wrote:
> Per recent discussion I just updated the original dcrup draft.  Changes
>
> * new algorithm is now EdDSA, tags updated appropriately
>
> * sha1 hash is moved to historic
>
> * place marker to splice in deprecation text from Scott's draft if we want
> to.
>
> My draft has always provided updated text for section 3.3 of RFC 6376. It
> says which algorithms signers and verifiers are supposed to use.
>
> Regards,
> John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
> Please consider the environment before reading this e-mail. https://jl.ly
>
> _______________________________________________
> Dcrup mailing list
> Dcrup@ietf.org
> https://www.ietf.org/mailman/listinfo/dcrup