[Dcrup] Re: [Ietf-dkim] [standards] [Editorial Errata Reported] RFC8463 (7930)

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 17 May 2024 04:02 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78A9DC14F6FD for <dcrup@ietfa.amsl.com>; Thu, 16 May 2024 21:02:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.397
X-Spam-Level:
X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dukhovni.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wwG05oSkwpiG for <dcrup@ietfa.amsl.com>; Thu, 16 May 2024 21:02:25 -0700 (PDT)
Received: from chardros.imrryr.org (chardros.imrryr.org [144.6.86.210]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED2B5C14F712 for <dcrup@ietf.org>; Thu, 16 May 2024 21:02:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dukhovni.org; i=@dukhovni.org; q=dns/txt; s=f8320d6e; t=1715918571; h=date : from : to : subject : message-id : references : mime-version : content-type : in-reply-to : from; bh=m/0wF2RLY4a4/874GVTMixdPS3O2hVc6PSUxPSuJVtI=; b=cZ1HERlmaDQ7TGEBL9ydGDB4Z9DINShQtWv92rbSB29wFfQNy4pVh6FsCZ4hcGybseo6L MLaWXR07WunydDpsGEOmQcX8Docv++TMlCbD/2RglFEG0k5yv1hKX7JrbRmQxFWoT3swaLZ C3JNoFClkC2VIDPt0tYCMcRBK9TV37I=
Received: by chardros.imrryr.org (Postfix, from userid 1000) id 4A8DB893CE0; Fri, 17 May 2024 00:02:51 -0400 (EDT)
Date: Fri, 17 May 2024 00:02:51 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dcrup@ietf.org
Message-ID: <ZkbW6z2ilRbVj-7S@chardros.imrryr.org>
References: <ZkAOictS1ygyIBZe@chardros.imrryr.org> <20240512005258.N-lL8YIA@steffen%sdaoden.eu> <CAL0qLwYPtxxDhYEjH0D5YkcXBf6Qy6Xcux7PdvFtwhJzpaUxyg@mail.gmail.com> <ACD165BA-9195-480E-9FA0-44A44097E6A8@isdg.net> <20240513203259.hFdFtvyd@steffen%sdaoden.eu> <ZkLM72PMJeWpet5C@chardros.imrryr.org> <20240515001817.saYJ-VOe@steffen%sdaoden.eu> <CDA9C77F-A74A-4303-AE9E-3E71661AA490@isdg.net> <DC85F374-B15C-442C-9F5E-15B4EEA3022D@dukhovni.org> <20240516222922.RlI6iUKT@steffen%sdaoden.eu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20240516222922.RlI6iUKT@steffen%sdaoden.eu>
Message-ID-Hash: DHXDOMKDWR3AVRC4EPON2IPF7DMCBTQY
X-Message-ID-Hash: DHXDOMKDWR3AVRC4EPON2IPF7DMCBTQY
X-MailFrom: ietf-dane@dukhovni.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dcrup.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Dcrup] Re: [Ietf-dkim] [standards] [Editorial Errata Reported] RFC8463 (7930)
List-Id: DKIM Crypto Update <dcrup.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/F3wezOfZSA29_eyv2YqASdFtuWo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Owner: <mailto:dcrup-owner@ietf.org>
List-Post: <mailto:dcrup@ietf.org>
List-Subscribe: <mailto:dcrup-join@ietf.org>
List-Unsubscribe: <mailto:dcrup-leave@ietf.org>

On Fri, May 17, 2024 at 12:29:22AM +0200, Steffen Nurpmeso wrote:

> That is five years and still you need to DKIM-double-sign your
> emails, because major email player with which you have to be
> compatible to simply do not follow this spec.

The "major email players" are focused various business objectives that
take precedence over technical nits that no users care about.  This has
nothing to do with the details of the new Ed25519 spec, and everything
to do with RSA + SHA256 being "good enough" for now.  Inertia is a fact
of life at Internet scale.

You are much too fixated on minor details of RFC8436.  It may not be
perfect, but it makes some sense in light of RFC6376, and lack of
Ed25519ph APIs in OpenSSL at the time RFC8463 was written ~six years
ago.

Support for the plausibly more natural Ed25519ph was added to OpenSSL
3.2 in Nov 2023!  And there still isn't an IUF (init, update, final)
streaming API for Ed25519ph: only one-shot operation is supported.
Signing a precomputed hash with Pure EdDSA is a workable alternative.

Best to let it go.  I suggest not replying for at least a week, and if,
once the urge to immediately reply has cooled down, you have something
materially new to add, craft a concise followup, carefully sticking to
the essential technical point you're sure has not already been
addressed.

Over and out.

-- 
    Viktor.