Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypto-03
Jim Fenton <fenton@bluepopcorn.net> Sat, 08 July 2017 07:08 UTC
Return-Path: <fenton@bluepopcorn.net>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24FB9131688 for <dcrup@ietfa.amsl.com>; Sat, 8 Jul 2017 00:08:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.102
X-Spam-Level:
X-Spam-Status: No, score=-0.102 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bluepopcorn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZvOdNOYfZHD9 for <dcrup@ietfa.amsl.com>; Sat, 8 Jul 2017 00:08:25 -0700 (PDT)
Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D630131684 for <dcrup@ietf.org>; Sat, 8 Jul 2017 00:08:24 -0700 (PDT)
Received: from [IPv6:2605:e000:d482:d500:adb0:a38f:783:36f] ([IPv6:2605:e000:d482:d500:adb0:a38f:783:36f]) (authenticated bits=0) by v2.bluepopcorn.net (8.14.4/8.14.4/Debian-8+deb8u1) with ESMTP id v6878C2f003845 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 8 Jul 2017 00:08:15 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bluepopcorn.net; s=supersize; t=1499497696; bh=0BIXtPLhAbMz2wN2Ucv2e2J7DX+P9mMJve3P9bq8tHU=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=YzD4Zl0FZ8Xk1rn5XHcMUxRw3+qEKbM1pP9F4/2nI0KrjstahM9TUOGIbT/BO1iQi zh/oEIZMiBel44MZXWieXlE6vZBQkJSFLl48oKyd/sw1VTRjqwiPf5I3oAEqqR3ip2 AgsBH1bk/ShyLAsARi7xiRvlbxHrCEsLP5O9OTnI=
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Jim Fenton <fenton@bluepopcorn.net>
X-Mailer: iPad Mail (14F89)
In-Reply-To: <aeee2c9019114d9789a2cd768f0b15e1@usma1ex-dag1mb1.msg.corp.akamai.com>
Date: Fri, 07 Jul 2017 21:08:06 -1000
Cc: Jon Callas <jon@callas.org>, Eric Rescorla <ekr@rtfm.com>, Martin Thomson <martin.thomson@gmail.com>, "dcrup@ietf.org" <dcrup@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F16764CE-D4C4-4A48-9779-37BC8C2D1261@bluepopcorn.net>
References: <CABkgnnW8nnoRGKoJQ4STAcT6CXdWFRCpz0h20hw+ksfw1x0PGg@mail.gmail.com> <6d4b76c9b42848f1b18c42ba22895993@usma1ex-dag1mb1.msg.corp.akamai.com> <CABcZeBM-qh+iW_+Br2URpdjHsLZ_L1xqZWUVirW-8-E7k4cvzg@mail.gmail.com> <564f297f17424f34b4ba1e118ab6f62c@usma1ex-dag1mb1.msg.corp.akamai.com> <D4D564D0-73C6-45CA-9962-33106229DE02@bluepopcorn.net> <220DB06A-E06D-4DAF-ADE6-7536B6E43630@callas.org> <aeee2c9019114d9789a2cd768f0b15e1@usma1ex-dag1mb1.msg.corp.akamai.com>
To: "Salz, Rich" <rsalz@akamai.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/5IExKgEehi8L5I4IoidRtYV73Oo>
Subject: Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypto-03
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Jul 2017 07:08:26 -0000
On Jul 7, 2017, at 4:24 PM, Salz, Rich <rsalz@akamai.com> wrote: >> For what it's worth, I agree with Jim and Ekr. Hashing is just fine. > > Is it fine, or is it a required or just good? > > Nobody is saying there is anything wrong with hashing. Several are saying that, given the limitations of some DNS deployments, it is useful to avoid the indirection and just put the key when we can. What DNS deployment limitation would be adversely affected by the use of a hash? I can't think of any. "Avoid the indirection" makes it sound like more network round-trips would be required if a hash is used. No more network traffic is involved; the verifier only needs to compute the hash of the key included in the message and compare that with the fingerprint included in the key lookup response from DNS. The verifier can even check the signature prior to receiving the DNS response, if it wants. I'm supporting publishing key fingerprints because I think it's slightly more future-proof, and having been burned by that once already, I don't want to make the same mistake again. But if rough consensus decides otherwise, we go with that of course. I still haven't heard an answer to the following question I posed about the fingerprints, though: Will the fingerprints always be sha256, or do we need to specify the fingerprint algorithm in the DNS record? In other words, will we assume that sha256 will be strong enough for the life of this protocol? -Jim
- [Dcrup] Review of draft-ietf-dcrup-dkim-crypto-03 Martin Thomson
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Salz, Rich
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Eric Rescorla
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Salz, Rich
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Jim Fenton
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Jon Callas
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Scott Kitterman
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Salz, Rich
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Jim Fenton
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Jon Callas
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Scott Kitterman
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Peter Goldstein
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… James Cloos
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Scott Kitterman
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Russ Housley
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… John Levine
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… John Levine
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… John Levine
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Russ Housley
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… John R Levine
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Eric Rescorla
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Scott Kitterman
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Eric Rescorla
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… John Levine
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Eric Rescorla
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… denis bider
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Eric Rescorla
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Peter Goldstein
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Eric Rescorla
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Peter Goldstein
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Eric Rescorla