[Dcrup] rsa-sha1 proposals
Scott Kitterman <sklist@kitterman.com> Tue, 20 June 2017 15:43 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBFC813148E for <dcrup@ietfa.amsl.com>; Tue, 20 Jun 2017 08:43:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kitterman.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w-YNwjX3-cSC for <dcrup@ietfa.amsl.com>; Tue, 20 Jun 2017 08:43:42 -0700 (PDT)
Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F206131BAB for <dcrup@ietf.org>; Tue, 20 Jun 2017 08:39:36 -0700 (PDT)
Received: from kitterma-e6430.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 336A1C400DA for <dcrup@ietf.org>; Tue, 20 Jun 2017 10:39:35 -0500 (CDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=201409; t=1497973175; bh=w1IqPAFfmypPQ4lKLVYdliTh0dYYQNfJ6+pkOwe0gCg=; h=From:To:Subject:Date:From; b=gqipgV4Oya12i64wcwQiG4QR1Zw/YxI8notEDCyidsADpf6ar2TaDgpDQSIAADqHn gsFrIvYlpHOE17lcm1NwuRRSZ1g6c/QwFB9ZUnm7f8d2V7n42t69Odthwo0iUBKNFS TibxJWscmxEjnvxHDtZuZjUGQ7iP/6TZb1TUWMd0=
From: Scott Kitterman <sklist@kitterman.com>
To: "dcrup@ietf.org" <dcrup@ietf.org>
Date: Tue, 20 Jun 2017 11:39:34 -0400
Message-ID: <1642300.47WuTbIWPP@kitterma-e6430>
User-Agent: KMail/4.13.3 (Linux/3.13.0-119-generic; KDE/4.13.3; x86_64; ; )
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/KiYCaTCz3ZZdgpVKBg-G6rS9GiY>
Subject: [Dcrup] rsa-sha1 proposals
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jun 2017 15:43:45 -0000
I think we still have some different opinions on what to do with rsa-sha1, so I thought I'd attempt to summarize the different options (as best I can, I have an opinion, so I'm sure my bias will leak in) in the hopes it will help drive this part of the WG discussion to closure. Note: I'm not talking about RSA key sizes because it seems to me we're largely converged on that topic. I think there are roughly three options that have been discussed: Status quo: > Signers MUST implement and SHOULD sign using rsa-sha256. Verifiers MUST > implement both rsa-sha1 and rsa-sha256. Deprecate rsa-sha1: > Signers MUST implement and sign using rsa-sha256 only. Verifiers MUST > implement both rsa-sha1 and rsa-sha256. Remove rsa-sha1: > Signers MUST implement and sign using rsa-sha256 only. Verifiers MUST > implement rsa-sha256. rsa-sha1 is obsolete and MUST not be used. Note: This option also removes rsa-sha1 from the ABNF. Pro/Con for each: Status quo: There is no immediate known security threat to rsa-sha1 that would indicate its imminent demise as a useful algorithm in this application and rsa-sha1 signatures are still in significant use. RSA key sizes are the current security issue and that can be fixed without doing anything about rsa-sha1. There are a number of known shortcomings with rsa-sha1 and given that rsa- sha256 is available and does not share the same issues, raising the bar to require rsa-sha256 is easy and a prudent step to take in advance of issues being published. Let's not wait until we have to panic. Retaining rsa-sha1 means DKIM implementers will have to deal with three algorithms rather than two and this raises implementation complexity and the risk of things going wrong. Deprecate rsa-sha1: There is no immediate known security threat to rsa-sha1 that would indicate its imminent demise as a useful algorithm in this application and rsa-sha1 signatures are still in significant use. RSA key sizes are the current security issue and that can be fixed without doing anything about rsa-sha1, but if we move to a more aggressive stance against rsa-sha1 now, it should be easier to remove it when needed. There are a number of known shortcomings with rsa-sha1 and given that rsa- sha256 is available and does not share the same issues, raising the bar to require rsa-sha256 is easy and a prudent step to take in advance of issues being published. Let's not wait until we have to panic. Retaining rsa-sha1 means DKIM implementers will have to deal with three algorithms rather than two and this raises implementation complexity and the risk of things going wrong. Remove rsa-sha1: This option eliminates (to the extent it is adopted) the potential of security risks with rsa-sha1. If a relevant issue with rsa-sha1 is made public, there will be no further standards work that needs to be done. This option also keeps the number of algorithms at two, eliminating the additional complexity associated with having more algorithms to sort through in implementation. While this might be considered somewhat abrupt, rsa-sha1 signing has been effectively SHOULD NOT for a decade. Maybe this will create some momentum for operators to move off of it. It is abrupt to remove something without a formal deprecation period. Thoughts? Scott K
- [Dcrup] rsa-sha1 proposals Scott Kitterman
- Re: [Dcrup] rsa-sha1 proposals Seth Blank
- Re: [Dcrup] rsa-sha1 proposals Scott Kitterman
- Re: [Dcrup] rsa-sha1 proposals Salz, Rich
- Re: [Dcrup] rsa-sha1 proposals Jim Fenton
- Re: [Dcrup] rsa-sha1 proposals Kurt Andersen
- Re: [Dcrup] rsa-sha1 proposals Brandon Long
- Re: [Dcrup] rsa-sha1 proposals Hector Santos
- Re: [Dcrup] rsa-sha1 proposals Hector Santos
- Re: [Dcrup] rsa-sha1 proposals Scott Kitterman
- Re: [Dcrup] rsa-sha1 proposals John Levine
- Re: [Dcrup] rsa-sha1 proposals Hector Santos
- Re: [Dcrup] rsa-sha1 proposals Hector Santos
- Re: [Dcrup] rsa-sha1 proposals Seth Blank
- Re: [Dcrup] rsa-sha1 proposals Hector Santos
- Re: [Dcrup] rsa-sha1 proposals Jim Fenton
- Re: [Dcrup] rsa-sha1 proposals Scott Kitterman
- Re: [Dcrup] rsa-sha1 proposals Hector Santos
- Re: [Dcrup] rsa-sha1 proposals Salz, Rich
- Re: [Dcrup] rsa-sha1 proposals Scott Kitterman
- Re: [Dcrup] rsa-sha1 proposals Hector Santos
- Re: [Dcrup] rsa-sha1 proposals John Levine
- Re: [Dcrup] rsa-sha1 proposals John Levine
- Re: [Dcrup] rsa-sha1 proposals Brandon Long
- Re: [Dcrup] rsa-sha1 proposals Phillip Hallam-Baker
- [Dcrup] Review of draft-ietf-dcrup-dkim-crypto-02 Jim Fenton
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… John R. Levine