[Dcrup] Work on draft-ietf-dcrup-dkim-usage
Scott Kitterman <sklist@kitterman.com> Sat, 03 June 2017 18:02 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E98EF12EB5B for <dcrup@ietfa.amsl.com>; Sat, 3 Jun 2017 11:02:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.99
X-Spam-Level:
X-Spam-Status: No, score=-1.99 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_HTML_ATTACH=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kitterman.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ffkushCWzSTi for <dcrup@ietfa.amsl.com>; Sat, 3 Jun 2017 11:02:16 -0700 (PDT)
Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [IPv6:2607:f0d0:3001:aa::2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EA9912EB55 for <dcrup@ietf.org>; Sat, 3 Jun 2017 11:02:16 -0700 (PDT)
Received: from kitterma-e6430.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 44D4DC4010C for <dcrup@ietf.org>; Sat, 3 Jun 2017 13:02:14 -0500 (CDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=201409; t=1496512934; bh=qyu+TOYZMslF5m9MOTVcZCBe+OpoujYB0+2J2kZbE80=; h=From:To:Subject:Date:From; b=D0SfxJPz0beBfglczZpP4B6wmv0dTEQKxtZbXjfPbQ8qwE4DSRK3mpUnm1qB/dMhB 1KIGet2E28lp+hl50Y2OgO98UMQimavoQYv0h2ZFpkSj61VLQYJOMGmDGzOZULiUuO W4jbasHA+245ORLOt+4dYvZwS8swAKFTcqIIixos=
From: Scott Kitterman <sklist@kitterman.com>
To: dcrup@ietf.org
Date: Sat, 03 Jun 2017 14:02:13 -0400
Message-ID: <1870784.2tGGxD3xed@kitterma-e6430>
User-Agent: KMail/4.13.3 (Linux/3.13.0-119-generic; KDE/4.13.3; x86_64; ; )
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="nextPart1965194.WfSBeShprZ"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/G1fcOKVbj_RaPHzsDkcbwVtSEOI>
Subject: [Dcrup] Work on draft-ietf-dcrup-dkim-usage
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Jun 2017 18:02:19 -0000
I have locally updated the draft based on my interpretation of the discussion on the list. Rfcdiff attached. Added an informative reference to the US-CERT vulnerability report on this issue. Added updates to header field and key records that I missed in my first draft. Also, I forgot to mention before that, since all the cool kids are doing it, I put this up on my github account. This is, of course, in no way officially anything at all. It's only a way for me to keep track of changes. https://github.com/kitterma/draft-ietf-dcrup-dkim-usage I did not take on the question of adding key sizes to the IANA registry for several reasons: 1. Adding it at all is somewhat controversial and I'm hoping to limit the controversy in this particular document so we can get it done. I view this document as the minimum update to RFC 6376 required to update DKIM to remove known insecure things. An IANA registry doesn't affect that. 2. Different types of algorithms have widely different key size requirements, so I don't believe we will really know what such a registry would need to look like until after we've finished working through questions about what is the next generation DKIM algorithm going to be. Making a registry now would mean we might need to redo it later. Let's do it once, if we are going to to it at all. 3. There is some nuance about key size rules that I'm not sure how to fit into an IANA registry. One other thing that perhaps should go into this draft is more on Security Considerations. If you look at the Security Considerations in RFC 6376, it does not mention risks associated with using an obsolete hash algorithm or a key that is too small. Adding a new security consideration as an "update" to RFC 6376 that describes the problem this draft is solving might be a good thing? As revisions are cheap, unless someone objects, I'll go ahead and post this (or something similar based on feedback) soon. Scott K
- [Dcrup] Work on draft-ietf-dcrup-dkim-usage Scott Kitterman
- Re: [Dcrup] Work on draft-ietf-dcrup-dkim-usage Murray S. Kucherawy