Re: [Dcrup] draft-ietf-dcrup-dkim-usage and document shepherds

Seth Blank <seth@valimail.com> Tue, 13 June 2017 07:50 UTC

Return-Path: <seth@valimail.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27A84129BA8 for <dcrup@ietfa.amsl.com>; Tue, 13 Jun 2017 00:50:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f0HyEIqm3-Jb for <dcrup@ietfa.amsl.com>; Tue, 13 Jun 2017 00:50:10 -0700 (PDT)
Received: from mail-qt0-x234.google.com (mail-qt0-x234.google.com [IPv6:2607:f8b0:400d:c0d::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52281129B98 for <dcrup@ietf.org>; Tue, 13 Jun 2017 00:50:10 -0700 (PDT)
Received: by mail-qt0-x234.google.com with SMTP id c10so159815648qtd.1 for <dcrup@ietf.org>; Tue, 13 Jun 2017 00:50:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=qxnmqvX0OLNDJH++c//HGWJFooL+m9Qmy+GbZfkkzuc=; b=fWh7uYmdE79v9I0g43IPByI2z8Ya1nxUvUfUNPj415L8HjiJZm9pwzNl4E0M0TD25p hEERAnBhcW/OGvaAGH1lNE/FEPXl2E+c6SzzHN8Pm1MLBXaC9QJgf1BPD/o9wR20mezR KH0uvehgFMYZNaPQ3WWBx3d8PlPQBx+YfrIMQOV7gAJQT7x5Fs0/njrFO8iuoI2T73Kw XvX5lxyMhFZcQ2k8SeeUOkoTdg53lFu6TSSPBNaeVGqvEZfZdHPAnca4K0YTNk/t9wOH ne5MZKFnCo23fYuCHWMqb2zYdUcn66JRgn4tZhlfFJfbpneu7S+oovnsjwKO9AfDqKmf U7HA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=qxnmqvX0OLNDJH++c//HGWJFooL+m9Qmy+GbZfkkzuc=; b=L48VnqhE3sKAnbnF8RemfdO0gaWtJvfcf7bNNaDL13P7n4rgOobYQWExcp5zOrmYdX O+jnfKR9/ZziqGQ3g2poFQ+ANfY1Xdox+5DTkMHKljVt41wiG+8XAOQDbocPKLWWA2NK CZaMwbKcyULUNXlq7FbsLsbc0FjyXPw0rYWLZxGfrstAYhYzhk6hNYLpTMRf78f0Gu/a chjoETG1skzqHYxUg3xwtjhebO5s7yALr+5tVbfQzz2inOc8LrglbDTl2vuGNgMmPHKd ic/GQdsvCoFJwSX1XHqyOZaYlM8KK8IvLjOBvgL3gaY3mWrRKxPEuVZ0gk4H4G6eQFjb 4eWA==
X-Gm-Message-State: AODbwcAEi/aMvONEdQvY+0HghkAdRheZuPyPB2qTy2ASxdYKMf/L2jPJ +iHKqj9Nm+DW51J9guzqNd0QiLPFMT6VBHU=
X-Received: by 10.200.55.148 with SMTP id d20mr53103468qtc.94.1497340209303; Tue, 13 Jun 2017 00:50:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.200.43.27 with HTTP; Tue, 13 Jun 2017 00:49:48 -0700 (PDT)
In-Reply-To: <4379310.8G0EpGEsGj@kitterma-e6430>
References: <20170610002538.10992.qmail@ary.lan> <2034638.szbv6KSWyz@kitterma-e6430> <CAL0qLwY4yFGbBXHw=YXgLgok1uzWm4s2TQ2GSBak_cDn4KsOBA@mail.gmail.com> <4379310.8G0EpGEsGj@kitterma-e6430>
From: Seth Blank <seth@valimail.com>
Date: Tue, 13 Jun 2017 08:49:48 +0100
Message-ID: <CAOZAAfNxYG4XZusXvkXneDpyjPgdWSB_vk1maCS=Wobrj2ybzg@mail.gmail.com>
To: dcrup@ietf.org
Content-Type: multipart/alternative; boundary="001a1146449c48a3ca0551d2af0c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/Da7OL2bxbbEjZYdvAq9edOHDogo>
Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-usage and document shepherds
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jun 2017 07:50:17 -0000

On Mon, Jun 12, 2017 at 3:29 PM, Scott Kitterman <sklist@kitterman.com>
wrote:

> If I knew which of the three approaches to take, then I could  pick one and
> write it:
>
> 1.  Fully replace section 3.3 explicitly saying MUST rsa-sha256 and MUST
> NOT
> rsa-sha1 (my personal preference)
>
> 2.  Fully replace section 3.3 dropping rsa-sha1 and just giving the new
> requirements (possibly with an appendix that says MUST NOT rsa-sha1)
>
> 3.  Make the draft a lot shorter and only state updated requirements.  Also
> don't remove rsa-sha1 [1]
>

I think #2 is the cleanest for a lot of reasons, but I'm sympathetic to the
argument about the RFC making it clear what has changed to an implementer
reading it and this has persuaded me, If the point of this document is to
get implementers who have been using sha-1 and weak keys to throw them out
- #1's language accomplishes this explicitly.

So I'm voting for #1.