IETF Logo Mail Archive

Re: [Dcrup] new version draft-ietf-dcrup-dkim-crypto-04

Martin Thomson <martin.thomson@gmail.com> Mon, 31 July 2017 03:14 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8D58131C60 for <dcrup@ietfa.amsl.com>; Sun, 30 Jul 2017 20:14:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5FVembd3_ixo for <dcrup@ietfa.amsl.com>; Sun, 30 Jul 2017 20:14:14 -0700 (PDT)
Received: from mail-it0-x234.google.com (mail-it0-x234.google.com [IPv6:2607:f8b0:4001:c0b::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF39A126CB6 for <dcrup@ietf.org>; Sun, 30 Jul 2017 20:14:13 -0700 (PDT)
Received: by mail-it0-x234.google.com with SMTP id h199so118818726ith.1 for <dcrup@ietf.org>; Sun, 30 Jul 2017 20:14:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=6jYZmvqoSi4BrwYC4tJHBrGL98zAzHKK+cpe5imag3E=; b=TF12oP/10jT5tDBNHHumQfuWjs1QZ0TG+uv1LFCQcbWHLqQIXtHY8skudpEZsAYETV Tr6ynbDbJuYmQLUpw7/8N++gjHPmhFm+AsrsReCoJaBc1A33353QwfQgw18oEysZdx/O nwCfpKyfdb+PRbJ/OOloQFO7XTfdvdbe6CJt9acQ6m09ofjbS1JR+ez7ZJKCeI5IwEp0 Q61OaKshW5txs482+qMrtI3yPkJ8ywFvTr3DN8vdRrgeHHXXggdhG5ffbqP1J2pQ+uXE VBA5wuov810MfDH7lIELi/gC58bKkzhptsV9ft20D+Co14+hnSG3N8xzP0Nb/iu2jzWf REfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=6jYZmvqoSi4BrwYC4tJHBrGL98zAzHKK+cpe5imag3E=; b=iQVj2O3fD8oNj5nE6o2fhQkQRpN9J/DqtjMfuRMn3XjOnmtemhnw7k6VyzHPT0B2OY d7d1F+48bWvNKlHSOyNHVdBK+yLRFfrQ0TcRbQj8EmJcre8MpWDOqEBGSXSw7BPF24io jWL4synTLRelY0kLsLDQS68a0U3SI2DftlVZB8b0+EZ76fIvtoox/Hgik9y2Z/je0/1n g88myUP7ZaOskMo0VGpzUtVqYmHDfL+plbN1569z8tsummnvsKU2qMcmoiXeC4Q0ve3f xLU77NqbEX6ywNuMhczHiTXW4GUuG55zMMsCiBR+wK2r9ISwiU8ghg02B65R5dy8gqCQ neRw==
X-Gm-Message-State: AIVw112AMzGLd1J5kL2zXIsub+byF9O5gEERuYYGDkO6YH8BH1VM991R EQqzkGjVTNXavKncxQxtfHRNRdmvhgwWH3w=
X-Received: by 10.36.5.68 with SMTP id 65mr17740298itl.140.1501470853234; Sun, 30 Jul 2017 20:14:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.164.42 with HTTP; Sun, 30 Jul 2017 20:14:12 -0700 (PDT)
In-Reply-To: <alpine.OSX.2.21.1707281410000.7564@ary.qy>
References: <alpine.OSX.2.21.1707281410000.7564@ary.qy>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 31 Jul 2017 13:14:12 +1000
Message-ID: <CABkgnnWi6qS6L7mBHfFObMZhP=2C9mpX8sCuM8sx5efD=dX=kQ@mail.gmail.com>
To: John R Levine <johnl@taugh.com>
Cc: dcrup@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/6xC2zPQNgo5bqamlk7qhKWlVSn8>
Subject: Re: [Dcrup] new version draft-ietf-dcrup-dkim-crypto-04
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jul 2017 03:14:16 -0000

Hi John,

This looks pretty good.

The abstract still says "and deprecates an obsolete signing
algorithm", which I think that you only obliquely.  I think that you
can remove the "Updates: RFC 6376" as well, but that means larger
changes.

In the spirit of leaving the removal of the crusty old stuff to the
other draft, I think that you should:

1. remove the clause from the abstract
2. remove the first paragraph of Section 6 (which specifies the update
to RFC 6376)
3. remove the requirement to use 1024-bit keys for "rsa-sha256"

That means changing Section 3 to concentrate on what rsafp does,
rather than specify it as patches to RFC 6376.

Yes, this doesn't make the change to hashed keys generic and others
will likely cargo-cult this document, but monkey-patching RFC 6376
like this could affect "rsa" keys as well as "rsafp" keys.

OLD:
   Section 5.5 of [RFC6376], on computing the message hash and
   signature, is modified as follows: When creating a signature with a
   signing algorithm that uses a key fingerprint, the signer includes
   the public key in the signature as a base64 encoded string with a k=
   tag.  The key in the tag is the same one that would be published in a
   non-fingerprint key record.
NEW:
   When creating a signature with an "rsafp" algorithm, the signer
   includes the public key in the signature as a base64 encoded
   string with a p= tag.  The value of the p= tag is an ASN.1
   DER-encoded [ITU-X660-1997] RSAPublicKey (see [RFC3447], Sections
   3.1 and A.1.1).

IMPORTANT: I think that you meant p= here rather than k=.

OLD:
   Section 3.7 of [RFC6376], on computing the message hashes, is not
   modified.  Since the key in the k= tag is known in advance, it
   included in the signature in the same manner as all of the other
   signature fields other than b=.
NEW:
   Message hashes are computed exactly as described in [RFC6376].
   Since the key in the p= tag is known in advance, it is included in
   the signature in the same manner as all of the other signature
   fields other than b=.

OLD:
   Section 6.1.3 of [RFC6376], to compute the verification, is modified
   as follows: In item 4, if the signing algorithm uses a key
   fingerprint, extract the verification key from the k= tag.  If there
   is no such tag, the signature does not validate.  Extract the key
   hash from the p= tag of the key record.  If there is no such tag or
   the tag is empty, the signature does not validate.  Compute the
   SHA-256 hash of the verification key, and compare it to the value of
   the key hash.  If they are not the same, the signature does not
   validate.  Otherwise proceed to verify the signature using the
   validation key and the algorithm described in the "a=" tag.
NEW:
   To verify a signature using the "rsafp" algorithm, follow the
   process described in RFC 6376 for "rsa" keys.  However, the
   "rsafp" algorithm takes the verification key from the p= tag.  If
   the p=tag is not present in the message, the signature does not
   validate.  In addition to signature verification, the verifier
   MUST ensure that the p= field of the key record is equal to the
   SHA-256 hash of the verification key.  If this check fails, the
   signature does not validate.

Final unrelated comment:

You recommend that "rsafp signatures SHOULD use key lengths of 1536 or
2048 bits".  I think that you want to include an "at least" here, and
use MUST.  Pick a number.  The rest of the industry is relatively
comfortable with 2048, which would be my pick, i.e., "rsafp signatures
MUST use keys that are 2048 bits or larger"



On 29 July 2017 at 04:11, John R Levine <johnl@taugh.com> wrote:
> This takes out the sha-1 deprecation stuff and makes many editorial changes
> based on comments from ekr and Martin T.  I didn't necessarily do everything
> they suggested, but I think I did look at all the suggestions.
>
> Regards,
> John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
> Please consider the environment before reading this e-mail. https://jl.ly
>
> _______________________________________________
> Dcrup mailing list
> Dcrup@ietf.org
> https://www.ietf.org/mailman/listinfo/dcrup

v2.23.0 | Report a Bug | By Email