Re: [Dcrup] new version draft-ietf-dcrup-dkim-crypto-04
Martin Thomson <martin.thomson@gmail.com> Mon, 31 July 2017 03:14 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8D58131C60 for <dcrup@ietfa.amsl.com>; Sun, 30 Jul 2017 20:14:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5FVembd3_ixo for <dcrup@ietfa.amsl.com>; Sun, 30 Jul 2017 20:14:14 -0700 (PDT)
Received: from mail-it0-x234.google.com (mail-it0-x234.google.com [IPv6:2607:f8b0:4001:c0b::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF39A126CB6 for <dcrup@ietf.org>; Sun, 30 Jul 2017 20:14:13 -0700 (PDT)
Received: by mail-it0-x234.google.com with SMTP id h199so118818726ith.1 for <dcrup@ietf.org>; Sun, 30 Jul 2017 20:14:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=6jYZmvqoSi4BrwYC4tJHBrGL98zAzHKK+cpe5imag3E=; b=TF12oP/10jT5tDBNHHumQfuWjs1QZ0TG+uv1LFCQcbWHLqQIXtHY8skudpEZsAYETV Tr6ynbDbJuYmQLUpw7/8N++gjHPmhFm+AsrsReCoJaBc1A33353QwfQgw18oEysZdx/O nwCfpKyfdb+PRbJ/OOloQFO7XTfdvdbe6CJt9acQ6m09ofjbS1JR+ez7ZJKCeI5IwEp0 Q61OaKshW5txs482+qMrtI3yPkJ8ywFvTr3DN8vdRrgeHHXXggdhG5ffbqP1J2pQ+uXE VBA5wuov810MfDH7lIELi/gC58bKkzhptsV9ft20D+Co14+hnSG3N8xzP0Nb/iu2jzWf REfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=6jYZmvqoSi4BrwYC4tJHBrGL98zAzHKK+cpe5imag3E=; b=iQVj2O3fD8oNj5nE6o2fhQkQRpN9J/DqtjMfuRMn3XjOnmtemhnw7k6VyzHPT0B2OY d7d1F+48bWvNKlHSOyNHVdBK+yLRFfrQ0TcRbQj8EmJcre8MpWDOqEBGSXSw7BPF24io jWL4synTLRelY0kLsLDQS68a0U3SI2DftlVZB8b0+EZ76fIvtoox/Hgik9y2Z/je0/1n g88myUP7ZaOskMo0VGpzUtVqYmHDfL+plbN1569z8tsummnvsKU2qMcmoiXeC4Q0ve3f xLU77NqbEX6ywNuMhczHiTXW4GUuG55zMMsCiBR+wK2r9ISwiU8ghg02B65R5dy8gqCQ neRw==
X-Gm-Message-State: AIVw112AMzGLd1J5kL2zXIsub+byF9O5gEERuYYGDkO6YH8BH1VM991R EQqzkGjVTNXavKncxQxtfHRNRdmvhgwWH3w=
X-Received: by 10.36.5.68 with SMTP id 65mr17740298itl.140.1501470853234; Sun, 30 Jul 2017 20:14:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.164.42 with HTTP; Sun, 30 Jul 2017 20:14:12 -0700 (PDT)
In-Reply-To: <alpine.OSX.2.21.1707281410000.7564@ary.qy>
References: <alpine.OSX.2.21.1707281410000.7564@ary.qy>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 31 Jul 2017 13:14:12 +1000
Message-ID: <CABkgnnWi6qS6L7mBHfFObMZhP=2C9mpX8sCuM8sx5efD=dX=kQ@mail.gmail.com>
To: John R Levine <johnl@taugh.com>
Cc: dcrup@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/6xC2zPQNgo5bqamlk7qhKWlVSn8>
Subject: Re: [Dcrup] new version draft-ietf-dcrup-dkim-crypto-04
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jul 2017 03:14:16 -0000
Hi John, This looks pretty good. The abstract still says "and deprecates an obsolete signing algorithm", which I think that you only obliquely. I think that you can remove the "Updates: RFC 6376" as well, but that means larger changes. In the spirit of leaving the removal of the crusty old stuff to the other draft, I think that you should: 1. remove the clause from the abstract 2. remove the first paragraph of Section 6 (which specifies the update to RFC 6376) 3. remove the requirement to use 1024-bit keys for "rsa-sha256" That means changing Section 3 to concentrate on what rsafp does, rather than specify it as patches to RFC 6376. Yes, this doesn't make the change to hashed keys generic and others will likely cargo-cult this document, but monkey-patching RFC 6376 like this could affect "rsa" keys as well as "rsafp" keys. OLD: Section 5.5 of [RFC6376], on computing the message hash and signature, is modified as follows: When creating a signature with a signing algorithm that uses a key fingerprint, the signer includes the public key in the signature as a base64 encoded string with a k= tag. The key in the tag is the same one that would be published in a non-fingerprint key record. NEW: When creating a signature with an "rsafp" algorithm, the signer includes the public key in the signature as a base64 encoded string with a p= tag. The value of the p= tag is an ASN.1 DER-encoded [ITU-X660-1997] RSAPublicKey (see [RFC3447], Sections 3.1 and A.1.1). IMPORTANT: I think that you meant p= here rather than k=. OLD: Section 3.7 of [RFC6376], on computing the message hashes, is not modified. Since the key in the k= tag is known in advance, it included in the signature in the same manner as all of the other signature fields other than b=. NEW: Message hashes are computed exactly as described in [RFC6376]. Since the key in the p= tag is known in advance, it is included in the signature in the same manner as all of the other signature fields other than b=. OLD: Section 6.1.3 of [RFC6376], to compute the verification, is modified as follows: In item 4, if the signing algorithm uses a key fingerprint, extract the verification key from the k= tag. If there is no such tag, the signature does not validate. Extract the key hash from the p= tag of the key record. If there is no such tag or the tag is empty, the signature does not validate. Compute the SHA-256 hash of the verification key, and compare it to the value of the key hash. If they are not the same, the signature does not validate. Otherwise proceed to verify the signature using the validation key and the algorithm described in the "a=" tag. NEW: To verify a signature using the "rsafp" algorithm, follow the process described in RFC 6376 for "rsa" keys. However, the "rsafp" algorithm takes the verification key from the p= tag. If the p=tag is not present in the message, the signature does not validate. In addition to signature verification, the verifier MUST ensure that the p= field of the key record is equal to the SHA-256 hash of the verification key. If this check fails, the signature does not validate. Final unrelated comment: You recommend that "rsafp signatures SHOULD use key lengths of 1536 or 2048 bits". I think that you want to include an "at least" here, and use MUST. Pick a number. The rest of the industry is relatively comfortable with 2048, which would be my pick, i.e., "rsafp signatures MUST use keys that are 2048 bits or larger" On 29 July 2017 at 04:11, John R Levine <johnl@taugh.com> wrote: > This takes out the sha-1 deprecation stuff and makes many editorial changes > based on comments from ekr and Martin T. I didn't necessarily do everything > they suggested, but I think I did look at all the suggestions. > > Regards, > John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY > Please consider the environment before reading this e-mail. https://jl.ly > > _______________________________________________ > Dcrup mailing list > Dcrup@ietf.org > https://www.ietf.org/mailman/listinfo/dcrup
- [Dcrup] new version draft-ietf-dcrup-dkim-crypto-… John R Levine
- Re: [Dcrup] new version draft-ietf-dcrup-dkim-cry… Martin Thomson
- Re: [Dcrup] new version draft-ietf-dcrup-dkim-cry… John R Levine
- Re: [Dcrup] new version draft-ietf-dcrup-dkim-cry… Martin Thomson
- Re: [Dcrup] new version draft-ietf-dcrup-dkim-cry… John R Levine
- Re: [Dcrup] new version draft-ietf-dcrup-dkim-cry… Martin Thomson
- Re: [Dcrup] new version draft-ietf-dcrup-dkim-cry… Scott Kitterman