[Dcrup] Re: [standards] [Editorial Errata Reported] RFC8463 (7930)

Viktor Dukhovni <viktor@dukhovni.org> Sun, 12 May 2024 00:33 UTC

Return-Path: <viktor@dukhovni.org>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B1A9C14F5F5 for <dcrup@ietfa.amsl.com>; Sat, 11 May 2024 17:33:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dukhovni.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hcdcbToPDQvv for <dcrup@ietfa.amsl.com>; Sat, 11 May 2024 17:33:51 -0700 (PDT)
Received: from chardros.imrryr.org (chardros.imrryr.org [144.6.86.210]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E246AC14F5F7 for <dcrup@ietf.org>; Sat, 11 May 2024 17:33:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dukhovni.org; i=@dukhovni.org; q=dns/txt; s=f8320d6e; t=1715474057; h=date : from : to : cc : subject : message-id : mime-version : content-type : in-reply-to : from; bh=ujwq3MBxqOSN3825dBRqh4ujNYRqN+mJJDKl/OFlo38=; b=ObLbczuQ2GqPlir+fLEOVXx7CV4oGM2q/LMzXZDoF6sEn456MvakPsj4nKe4dJmrRzGLa fTnA1Y/cyCsRohsslNxBqs/l6hg5j7B/DAQl3Q8a/r5kQUZ+Kl/dNcpvGqgXRuP5RSWGjOP b09h+5Hb7EQhsVa3vNZ86t+gDMXMxkU=
Received: by chardros.imrryr.org (Postfix, from userid 1000) id 9A1A18DF27A; Sat, 11 May 2024 20:34:17 -0400 (EDT)
Date: Sat, 11 May 2024 20:34:17 -0400
From: Viktor Dukhovni <viktor@dukhovni.org>
To: Steffen Nurpmeso <steffen@sdaoden.eu>
Message-ID: <ZkAOictS1ygyIBZe@chardros.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20240511223227.IW5-DSdi@steffen%sdaoden.eu> <20240511201754.H_LMdv5z@steffen%sdaoden.eu> <20240511201039.lf46znlR@steffen%sdaoden.eu>
Message-ID-Hash: 67JIJSCFMI565EK23N4RHBEK43ZYR77N
X-Message-ID-Hash: 67JIJSCFMI565EK23N4RHBEK43ZYR77N
X-MailFrom: viktor@dukhovni.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dcrup.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: John R Levine <johnl@taugh.com>, RFC Errata System <rfc-editor@rfc-editor.org>, dcrup@ietf.org, Scott Kitterman <sklist@kitterman.com>, "Murray S. Kucherawy" <superuser@gmail.com>, Orie Steele <orie@transmute.industries>, Rebecca VanRheenen <rvanrheenen@amsl.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Dcrup] Re: [standards] [Editorial Errata Reported] RFC8463 (7930)
List-Id: DKIM Crypto Update <dcrup.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/6h4A85tL6yKwYs3YAZblM2IOj3k>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Owner: <mailto:dcrup-owner@ietf.org>
List-Post: <mailto:dcrup@ietf.org>
List-Subscribe: <mailto:dcrup-join@ietf.org>
List-Unsubscribe: <mailto:dcrup-leave@ietf.org>

On Sat, May 11, 2024 at 10:10:39PM +0200, Steffen Nurpmeso wrote:

> Thanks a lot for spending so much time and effort to figure out
> John R's fault, your crypto knowledge and artistic is always
> amazing to read *and see*.  Thank you!

I believe you owe an apology to John Levine, and more generally would
achieve better results by practicing some more humility.  Your current
flame thrower on full blast approach is not productive.

>  |3. This is then signed with the Ed25519 key from RFC8032:
>  ...
> 
> Wonderful, thank you very much.  So John R Levine mapped the RSA
> scheme onto Ed25519, where one first generates a message digest,
> which is then signed.

No.  You've failed to read the DKIM RFCs.  All DKIM signatures
are by design private key operations over the "data-hash" of the
message with the indicated hash function.  The fact that RSA can
combine hashing and signing in one step is an optional convenience,
conceptually the steps are separate.

    https://www.rfc-editor.org/rfc/rfc6376.html#section-3.7

    ...
    signature    =  sig-alg (d-domain, selector, data-hash)
    ...

      NOTE: Many digital signature APIs provide both hashing and
      application of the RSA private key using a single "sign()"
      primitive.  When using such an API, the last two steps in the
      algorithm would probably be combined into a single call that would
      perform both the "a-hash-alg" and the "sig-alg".

This makes it possible to perform the signature operation in a single
pass, without holding the entire message in memory, only the short
digest is presented to the private key signing step.

Please resist any temptation to signal indignation, this matter should
now be closed.  Your Ed25519 signing implementation needs to hash the
message, and then sign the hash.

-- 
    Viktor.