Re: [Dcrup] Time For People To Really Stop Using SHA-1 Signatures?
Scott Kitterman <sklist@kitterman.com> Tue, 14 January 2020 14:51 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D99251200F6 for <dcrup@ietfa.amsl.com>; Tue, 14 Jan 2020 06:51:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=vs9jZfdO; dkim=pass (2048-bit key) header.d=kitterman.com header.b=fEhbF7g+
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vOL54tAGu7kL for <dcrup@ietfa.amsl.com>; Tue, 14 Jan 2020 06:51:01 -0800 (PST)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75E6012009E for <dcrup@ietf.org>; Tue, 14 Jan 2020 06:51:01 -0800 (PST)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id 7AAACF801CD for <dcrup@ietf.org>; Tue, 14 Jan 2020 09:50:59 -0500 (EST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1579013459; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=gxQ5Cyv8Ei+BLmNTXo/2st1ZM1yJORAwYit8Tj1WDns=; b=vs9jZfdOyuXwOdr7+/ve0x5K3kSMbbDk9fra9qcM3e+3DlIub8Z0JWI7 Ll8YI5ICmUjltwAxVtyNsrH3+xJ+BA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1579013459; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=gxQ5Cyv8Ei+BLmNTXo/2st1ZM1yJORAwYit8Tj1WDns=; b=fEhbF7g+Lz91sPS/0O+vAZxHfBUdiZ3JA0J4bY+SXv3wGKYSY3VB7rnt gxT30s0gzN3ENJILz9ocJCyCMSU1HQpc/CBlDEG9AhQwEg4Ph4NwtXGbpU U9R1N6lXpN4Qg4S/Um3Q8d1HNotvK/i1TiCYehgL3otD5gUXwkD0tspR1t c05lE7MHsUkfHYw1gGCrgOTkZX7wopJMkns0oLlx5rqEIwouAif2qUmIAc Fw9tPdBAXViGyrkiwT66gzjWn404f9sMbbwOYiG6Nceiq25InPe1TbLONs yVPFvDNf2xrjCZCj3intCkPQ6Au6Gna60msNvfFgOqdGtWIafKwXTA==
Received: from l5580.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTPSA id 4D862F800F2 for <dcrup@ietf.org>; Tue, 14 Jan 2020 09:50:59 -0500 (EST)
From: Scott Kitterman <sklist@kitterman.com>
To: dcrup@ietf.org
Date: Tue, 14 Jan 2020 09:50:58 -0500
Message-ID: <2930903.4jkiU04MHV@l5580>
In-Reply-To: <5E1DD3B8.5030507@isdg.net>
References: <1836468.B6t98xBJ9D@l5580> <9c3b08b1-909c-197c-2c7a-1c7eff660202@bluepopcorn.net> <5E1DD3B8.5030507@isdg.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/DV3-WgZmGZ9OWJ6Y8R4rEjpbEro>
Subject: Re: [Dcrup] Time For People To Really Stop Using SHA-1 Signatures?
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2020 14:51:08 -0000
On Tuesday, January 14, 2020 9:44:08 AM EST Hector Santos wrote: > Whether SHA1 usage is 10%, 5% or 1%, we need to remember, it is still > part of the protocol and DKIM Verifiers MUST be including SHA1 for > verification purposes. No. It's not. Please review RFC 8301, which updates RFC 6376: > 3.1. Signing and Verification Algorithms > > DKIM supports multiple digital signature algorithms. Two algorithms > are defined by this specification at this time: rsa-sha1 and > rsa-sha256. Signers MUST sign using rsa-sha256. Verifiers MUST be > able to verify using rsa-sha256. rsa-sha1 MUST NOT be used for > signing or verifying. > > DKIM signatures identified as having been signed with historic > algorithms (currently, rsa-sha1) have permanently failed evaluation > as discussed in Section 3.9 of [RFC6376]. I know you know this, so please stop pretending it's not true. Scott K
- [Dcrup] Time For People To Really Stop Using SHA-… Scott Kitterman
- Re: [Dcrup] Time For People To Really Stop Using … Russ Housley
- Re: [Dcrup] Time For People To Really Stop Using … Viktor Dukhovni
- Re: [Dcrup] Time For People To Really Stop Using … Jim Fenton
- Re: [Dcrup] Time For People To Really Stop Using … Phillip Hallam-Baker
- Re: [Dcrup] Time For People To Really Stop Using … Hector Santos
- Re: [Dcrup] Time For People To Really Stop Using … Hector Santos
- Re: [Dcrup] Time For People To Really Stop Using … Scott Kitterman
- Re: [Dcrup] Time For People To Really Stop Using … Scott Kitterman
- Re: [Dcrup] Time For People To Really Stop Using … Salz, Rich
- Re: [Dcrup] Time For People To Really Stop Using … Hector Santos
- Re: [Dcrup] Time For People To Really Stop Using … Salz, Rich
- Re: [Dcrup] Time For People To Really Stop Using … Hector Santos
- Re: [Dcrup] Time For People To Really Stop Using … Hector Santos
- Re: [Dcrup] Time For People To Really Stop Using … Viktor Dukhovni