Re: [Dcrup] we need to do the work, was draft-ietf-dcrup-dkim-usage and document shepherds

"John Levine" <johnl@taugh.com> Sat, 10 June 2017 12:53 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F37181293EC for <dcrup@ietfa.amsl.com>; Sat, 10 Jun 2017 05:53:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6AdGKbwQiCXW for <dcrup@ietfa.amsl.com>; Sat, 10 Jun 2017 05:53:24 -0700 (PDT)
Received: from miucha.iecc.com (w6.iecc.com [IPv6:2001:470:1f07:1126::4945:4343]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 537A612711E for <dcrup@ietf.org>; Sat, 10 Jun 2017 05:53:24 -0700 (PDT)
Received: (qmail 41784 invoked from network); 10 Jun 2017 12:53:22 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 10 Jun 2017 12:53:22 -0000
Date: Sat, 10 Jun 2017 12:53:00 -0000
Message-ID: <20170610125300.14197.qmail@ary.lan>
From: John Levine <johnl@taugh.com>
To: dcrup@ietf.org
Cc: sklist@kitterman.com
In-Reply-To: <DE201939-EA16-4957-B160-2B45B3BA60C1@kitterman.com>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/BUGfgd3Wo2m84V6mp5h3UtvRzaY>
Subject: Re: [Dcrup] we need to do the work, was draft-ietf-dcrup-dkim-usage and document shepherds
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Jun 2017 12:53:26 -0000

In article <DE201939-EA16-4957-B160-2B45B3BA60C1@kitterman.com> you write:
>This particular draft is already roughly five years late.

Sure.  So's mine.

>If we don't get something that rips out the obsolete crypto soon, then ARC is either going to have to wait or have a
>separate crypto specification from DKIM.  I don't see a new protocol with rsa-sha1 512 bits getting approved. 
>Neither of those options is good.

The whole point of spinning up this group was to fix the DKIM crypto
before ARC is published.  Since RSA with more than 1K keys has the
same TXT record problem with ARC as for DKIM, I think it's at least as
urgent to add a future-resistant algorithm with smaller keys as to
deprecate old stuff, probably more so.

This shouldn't be hard, we're not trying to invent anything.  I was
hoping Scott and others who know more about crypto than I do would be
making concrete suggestions about which elliptical algorithm to add,
by now.

R's,
John