Re: [Dcrup] AD review of draft-ietf-dcrup-dkim-usage-04.txt
"Murray S. Kucherawy" <superuser@gmail.com> Wed, 01 November 2017 22:45 UTC
Return-Path: <superuser@gmail.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A81B13FF15 for <dcrup@ietfa.amsl.com>; Wed, 1 Nov 2017 15:45:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1t0JRR4MXJXI for <dcrup@ietfa.amsl.com>; Wed, 1 Nov 2017 15:45:18 -0700 (PDT)
Received: from mail-qk0-x233.google.com (mail-qk0-x233.google.com [IPv6:2607:f8b0:400d:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3736B13FF12 for <dcrup@ietf.org>; Wed, 1 Nov 2017 15:45:18 -0700 (PDT)
Received: by mail-qk0-x233.google.com with SMTP id w134so4693320qkb.0 for <dcrup@ietf.org>; Wed, 01 Nov 2017 15:45:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=rf5tnLGegMepvhwn15WNNdSRQeQuGxWQULaqNAgPqOI=; b=eH8q/nAWCaOHtFqak4IdOVH3Kjg16kkXFChtkcuv78IMOo/4RnFRgo3HhUBdxgJW6B DKfbogd0VE2q5Va1Z+gwFPZpUsjqg04xVFzrPkBO4DgvUqqesx9iwLPCZFXt9f/42hcI Qc0jlxf7FZAhEJT7SokOx5RlV1dgLAKNKO5wYdSBeN84Sasz17/MAJ+xGJhYxKQ2pEvB V3aN3+CVKccnd8gyebkHv6cRM1TIS7wR5AYyuEIlvNW+2CWWtOJlrU9IVuOR1jVFzzIU W2UIznQbBrG94+EX+LGBXnY5s9C7YfEK9g6SOqCYIDIeztkz6hFbc5TmhmnXbxoSU1Jj 1XRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=rf5tnLGegMepvhwn15WNNdSRQeQuGxWQULaqNAgPqOI=; b=VWMMqkjdH1zCqc3PYmkmaHwJBpir62e1xGPoUSAveLsF6Ixky4CaQUfGHPploNsMVi SVviTQZd1L+sQnKfEL8W/S1B4M2kiZVgB+OO34zOLdH76fpLdnY9vdj0bnCOmB8YxBEy RqfRWHLcfvngSFxG84yt5No8uR6JK7n2LHmOgNGa1uOak8tqRsjDkP0BY+4tQMPO/bNP BBNIjsKX/Vcf8oBvnyisrd5k7SI9E/KurSrmLrf4xaTKTkyt/V1Zv5I4XyiVFWX4T0D3 BJpbkV+eVNY4biwwtg4It0QMh+dhzf2dMSflcQGGzVhyvkIFR1/jyDfq/9ikxnzOZxSD SD7A==
X-Gm-Message-State: AJaThX4BNQxqLEszjDCgqz1b+AQ8D0ZXhZQx461lb51Y28U2Cp7p5sHu lkffO6saVOX9mStcc4NOWCjgY713TITardcmB1k8YFnS
X-Google-Smtp-Source: ABhQp+Rnjzb5uRskW73oM0B7GOpp2GuEqXxTZfRzaYR8tXh4P0qBL8GMdXnGcOAg0wJR5emU7XhYZZ323zcsriL9gF8=
X-Received: by 10.55.204.157 with SMTP id n29mr2059333qkl.243.1509576317210; Wed, 01 Nov 2017 15:45:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.200.40.115 with HTTP; Wed, 1 Nov 2017 15:45:16 -0700 (PDT)
In-Reply-To: <1504177085.2153024.1090910512.3EA32E07@webmail.messagingengine.com>
References: <1504117534.496823.1090155768.0E7DA2E2@webmail.messagingengine.com> <CAL0qLwbz3AsKdvZXPfopBO7MY+f3mcY0Ae_yStAWkRJnqGGGEQ@mail.gmail.com> <1504117985.498428.1090164600.651D13E7@webmail.messagingengine.com> <CAL0qLwYuBK55=+ANGLoPk0EazHjsgUcWcgWgo7ptA4QUqD+4aA@mail.gmail.com> <1504177085.2153024.1090910512.3EA32E07@webmail.messagingengine.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Wed, 01 Nov 2017 15:45:16 -0700
Message-ID: <CAL0qLwYM_k7gUDWX8=ZNoROj=zFtQuW9pTqvRLtvwSHDEDTNGQ@mail.gmail.com>
To: Alexey Melnikov <aamelnikov@fastmail.fm>
Cc: dcrup@ietf.org
Content-Type: multipart/alternative; boundary="001a1146d0522615e7055cf3a0fa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/95l7NCmX51kvGns33lTCdQPIGlQ>
Subject: Re: [Dcrup] AD review of draft-ietf-dcrup-dkim-usage-04.txt
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Nov 2017 22:45:21 -0000
Circling back on this, which is the remaining point: On Thu, Aug 31, 2017 at 3:58 AM, Alexey Melnikov <aamelnikov@fastmail.fm> wrote: > On Thu, Aug 31, 2017, at 01:11 AM, Murray S. Kucherawy wrote: > > On Wed, Aug 30, 2017 at 11:33 AM, Alexey Melnikov <aamelnikov@fastmail.fm> > wrote: > > > > On Wed, Aug 30, 2017, at 07:29 PM, Murray S. Kucherawy wrote: > > The first line in Section 4 already says this updates 3.3 of RFC6376. You > think we need to be more specific? > > > > As I mentioned: I think sections 3.3.2 and 3.3.4 are still relevant. If > this document is replacing 3.3 and its subsections, some of this is lost. > > If you really intended to replace 3.3 and its subsections, it would be > worth adding "and its subsections" to the draft. > > > The draft says "updates", but you're saying "replaces". I don't see those > as the same thing. What this document says is to my mind treated as an > overlay, not a replacement; read RFC6376, then read this for current > advice, then act. > > I assume you are replacing the whole sections. If this is not what you are > doing, the document is even less clear and need to be clarified. > > If it's better to say this updates a specific subsection, then that's also > reasonable. I just thought what we have is sufficient. > > > Yes, please be specific. I couldn't be certain which sections are still in > force and which were updated. > I propose this, replacing our document's current Section 4: 4. Update to DKIM Signing and Verification Algorithms Section 4.1 updates the text in [RFC6376] Section 3.3. Section 4.2 updates the first paragraph in [RFC6376] Section 3.3.3. 4.1. DKIM Signing and Verification Algorithms DKIM supports multiple digital signature algorithms. Two algorithms are defined by this specification at this time: rsa-sha1 and rsa- sha256. Signers MUST sign using rsa-sha256. Verifiers MUST be able to verify using rsa-sha256. rsa-sha1 MUST NOT be used for signing or verifying. DKIM signatures signed with historic algorithms (currently rsa-sha1) or with insufficient key sizes (currently rsa-sha256 with less than 1024 bits) have permanently failed evaluation as discussed in [RFC6376] Section 3.9 <https://tools.ietf.org/html/rfc6376#section-3.9>. 4.2. Key Sizes Selecting appropriate key sizes is a trade-off between cost, performance, and risk. Since short RSA keys more easily succumb to off-line attacks, Signers MUST use RSA keys of at least 1024 bits for all keys. Signers SHOULD use RSA keys of at least 2048 bits. Verifiers MUST be able to validate signatures with keys ranging from 1024 bits to 4096 bits, and they MAY be able to validate signatures with larger keys. Verifier policies can use the length of the signing key as one metric for determining whether a signature is acceptable. Verifiers MUST NOT consider signatures using RSA keys of less than 1024 bits as valid signatures. Alexey, would this suffice? -MSK
- [Dcrup] AD review of draft-ietf-dcrup-dkim-usage-… Alexey Melnikov
- Re: [Dcrup] AD review of draft-ietf-dcrup-dkim-us… Murray S. Kucherawy
- Re: [Dcrup] AD review of draft-ietf-dcrup-dkim-us… Alexey Melnikov
- Re: [Dcrup] AD review of draft-ietf-dcrup-dkim-us… Hector Santos
- Re: [Dcrup] AD review of draft-ietf-dcrup-dkim-us… Murray S. Kucherawy
- Re: [Dcrup] AD review of draft-ietf-dcrup-dkim-us… Martin Thomson
- Re: [Dcrup] AD review of draft-ietf-dcrup-dkim-us… Alexey Melnikov
- Re: [Dcrup] AD review of draft-ietf-dcrup-dkim-us… Murray S. Kucherawy
- Re: [Dcrup] AD review of draft-ietf-dcrup-dkim-us… Scott Kitterman
- Re: [Dcrup] AD review of draft-ietf-dcrup-dkim-us… Murray S. Kucherawy
- Re: [Dcrup] AD review of draft-ietf-dcrup-dkim-us… Alexey Melnikov
- Re: [Dcrup] AD review of draft-ietf-dcrup-dkim-us… Alexey Melnikov
- Re: [Dcrup] AD review of draft-ietf-dcrup-dkim-us… Scott Kitterman
- Re: [Dcrup] AD review of draft-ietf-dcrup-dkim-us… Scott Kitterman
- Re: [Dcrup] AD review of draft-ietf-dcrup-dkim-us… Alexey Melnikov
- Re: [Dcrup] AD review of draft-ietf-dcrup-dkim-us… Murray S. Kucherawy