IETF Logo Mail Archive

Re: [Dcrup] rsa-sha1 usage

Peter Goldstein <peter@valimail.com> Wed, 14 June 2017 16:25 UTC

Return-Path: <peter@valimail.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9143128C83 for <dcrup@ietfa.amsl.com>; Wed, 14 Jun 2017 09:25:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.019
X-Spam-Level:
X-Spam-Status: No, score=-1.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_FONT_FACE_BAD=0.981, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EIJt03fYVbUa for <dcrup@ietfa.amsl.com>; Wed, 14 Jun 2017 09:25:44 -0700 (PDT)
Received: from mail-qt0-x229.google.com (mail-qt0-x229.google.com [IPv6:2607:f8b0:400d:c0d::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3BB1128B4E for <dcrup@ietf.org>; Wed, 14 Jun 2017 09:25:43 -0700 (PDT)
Received: by mail-qt0-x229.google.com with SMTP id c10so5814897qtd.1 for <dcrup@ietf.org>; Wed, 14 Jun 2017 09:25:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=UcBoSHyjBRjE8FVyfL9ERbJX1yzzgVbwF5ih6Aahheo=; b=ZX/DrN06fyRXAIFvM90qS/zw2ewyXE4YkH/F45T/shPTeGq5msY5pHLb1M5kTHVkgS SdIGyTmgQFdDqtVZ4+mKyKyGkmG25KIEJEJGg9A1tTQPOd3gLdPmTnhUJ+pZW5oQZrKb owzWSfTFR+nU/HFbaXBvzn94URMUxWcHjQ+5iVeObVzZFuQVu3lJ20tar9QQDAKcUZKo UtiH1nPIBpl6CVe//usM8xLKeXO1SJd0+WbEw2InQwjDz9fUkeHEFXtOWNDnb1aksRH4 2p06q/NT6qcNSJXoEtrtigpPf3dLBoqQY4ZEQJeHPDOh0pBSmX6HojDAW08kdMJYCUDa Wftw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=UcBoSHyjBRjE8FVyfL9ERbJX1yzzgVbwF5ih6Aahheo=; b=b+N5qIi885l4D6RyDnIV3xbsB62dm1mfj5oszBrOC27pGqAvIaAE8LcY0Fo/2RFovD 6VtpAq9SPDIt29Q9eA0db+yZvEbu/Ln1lieJ+QiqDqY4G4q18CgKopuyc5jfB6MJpfWq MtaVNvSVshqu0PdN6RxMB3mrVxc9zMySzH9TNE+tdajrV6hOHl7aSU4peWBR7ODswujM WiSlR9UfgfvNPrT6HvnCKnd6PwcxXDggwof3WCMgtY8ANc7NUjCbonSNGrRSBV7mC6FM eL4hmP2pYh5iIhsmnB1uFDvf9+P3UzQ2LCzFdKy86+s7zuBSHKZIqc092UG0QAhV2yO+ KbkQ==
X-Gm-Message-State: AKS2vOw+fOE29QjhdA+JqBHYJTcsYLb4VhGStRmuDwBRtAeNSAfZdQtW 8UPTa2TagFMf4/ZdoxA6Dd30FWF6hFizqwo=
X-Received: by 10.55.59.10 with SMTP id i10mr1057287qka.15.1497457543031; Wed, 14 Jun 2017 09:25:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.175.183 with HTTP; Wed, 14 Jun 2017 09:25:42 -0700 (PDT)
In-Reply-To: <CAMm+LwjiHiD0JGscz4d-3w3joPkzoVzxZVXzLwvW8EH-kFjxnw@mail.gmail.com>
References: <m38tkw53bd.fsf@carbon.jhcloos.org> <CABa8R6s6rzc+Ky8sLWcK7NtforSksEhNRkWVeF=k1v8GC80knw@mail.gmail.com> <m3wp8gpx20.fsf@carbon.jhcloos.org> <CAOj=BA2O+Hf2VGOtbmnqY2M5J9u8uJ7wm7SxEW551SXBwDdanw@mail.gmail.com> <5bf52517591d4950aec335d31bcf3631@usma1ex-dag1mb1.msg.corp.akamai.com> <aa52134a-ac20-bd70-8834-1598a8eaa536@bluepopcorn.net> <29B74569-6BB3-43F8-9549-566DA405B1FF@kitterman.com> <CAL0qLwaqPwb+cNhRCWLBp2qjTWtS65JAvstc9GfrhDDXRv+d6w@mail.gmail.com> <57fda1d5-b0b7-f226-60db-7f4c47233fc7@bluepopcorn.net> <CAL0qLwbFE5PzpOWzn-DwQ2D0z0=OAtEJLnwBbq2hk2SK2pc4Bg@mail.gmail.com> <87dfdc8c-5acc-e51e-a6d3-1e35611419b7@bluepopcorn.net> <BFDFAA4E-F253-497A-9881-D2223B45037A@kitterman.com> <CAMm+LwiPpPXbebhuKguRGzjtOMXv-=t9vS951R2nLSbjj+167Q@mail.gmail.com> <CAOZAAfPKvChF7wmsZ6mhsJ6VaArJ2AC+CqM1voY_RbHJ6WGr5Q@mail.gmail.com> <CAL0qLwa1yTRDPp33vf2vR3ozcxgSeAyrsZKsPZ90TPm3eXgrFA@mail.gmail.com> <CAMm+LwjiHiD0JGscz4d-3w3joPkzoVzxZVXzLwvW8EH-kFjxnw@mail.gmail.com>
From: Peter Goldstein <peter@valimail.com>
Date: Wed, 14 Jun 2017 09:25:42 -0700
Message-ID: <CAOj=BA37mEnKBa2VHtS8TjyCH-q=f=vysoWAZccM+iqYYVzjnQ@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>, dcrup@ietf.org
Content-Type: multipart/alternative; boundary="001a1148c6b8eb49610551ee0097"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/C5txSNmZRMXpBaJSD4dN1iZBSgA>
Subject: Re: [Dcrup] rsa-sha1 usage
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jun 2017 16:25:47 -0000

> Any transition has to be driven by the state of the deployed
> infrastructure. The sequence of facts that need to be gathered are as
> follows:
> X = proportion of implementations that accept RSA/SHA-2-256 signatures.
> Y = proportion of implementations that accept Ed25519 signatures
>
> >From these facts we then build a state machine that guarantees that
> 95-99% of all messages will be correctly processed by the deployed
> infrastructure.
> Phase 1) Dual sign with RSA/SHA-1 and RSA/SHA-2-256
> Phase 2) Sign with RSA/SHA-2-256
> Phase 3) Sign with Ed25519
> The decision to use MUST, MUST NOT, etc. is then driven by math.
> M3AAWG does not make the decision but they are probably best placed to
> collect the data.


The phases as described here do not fit the situation at hand.  As written
they mix two separate questions - rsa-sha1 vs rsa-256 and RSA vs Ed25519.
Those need to be considered separately.  Moreover, for the
rsa-sha1/rsa-sha256 the phases are also inappropriate because X is already
~100%

Verifiers were required to support rsa-sha256 by RFC 6376 -
https://tools.ietf.org/html/rfc6376#section-3.3 - and I'm unaware of any
verifier who does not support rsa-sha256.  Combine that with the fact that
a large number of systems (easily the majority of DKIM signers) currently
sign with rsa-sha256 (G Suite, Office365, Facebook, Twitter, etc.) and see
no need to dual sign with rsa-sha1, there's no reason to believe that there
is any significant non-zero population of receivers that validate DKIM for
rsa-sha1 but not for rsa-sha256.  Dual signing with rsa-sha1 and rsa-sha256
is not a necessary step in the rsa-sha1 deprecation process.

Rolling out Ed25519 signing support is a separate question, and it should
not be mixed with the rsa-sha1 deprecation question, even if they are
rolled into one document.  There is, as far as I know, no intention to
deprecate RSA in favor of Ed25519.  Rather the intention is to add Ed25519
as a more modern option for senders that supports shorter keys with better
resistance to attacks.

The current question before the working group is basically a procedural one
- Should we use the RFC2119 MUST NOT language for verifiers and their
acceptance of rsa-sha1 (transitioning from the affirmative SHOULD in RFC
6376) or avoid the use of such language?

Best,

Peter

-- 


[image: logo for sig file.png]

Bringing Trust to Email

Peter Goldstein | CTO & Co-Founder

peter@valimail.com
+1.415.793.5783 <(415)%20793-5783>

v2.29.0 | Report a Bug | By Email | System Status