Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypto-03

Peter Goldstein <peter@valimail.com> Mon, 10 July 2017 03:49 UTC

Return-Path: <peter@valimail.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D9C1131540 for <dcrup@ietfa.amsl.com>; Sun, 9 Jul 2017 20:49:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.019
X-Spam-Level:
X-Spam-Status: No, score=-1.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_FONT_FACE_BAD=0.981, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ApwFzQzHqSWv for <dcrup@ietfa.amsl.com>; Sun, 9 Jul 2017 20:49:18 -0700 (PDT)
Received: from mail-qt0-x22c.google.com (mail-qt0-x22c.google.com [IPv6:2607:f8b0:400d:c0d::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B19AF126CB6 for <dcrup@ietf.org>; Sun, 9 Jul 2017 20:49:18 -0700 (PDT)
Received: by mail-qt0-x22c.google.com with SMTP id i2so63147445qta.3 for <dcrup@ietf.org>; Sun, 09 Jul 2017 20:49:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=h8rYWVIaL8OzIv9C/EucSHVGhQlj4W8uIKSnZXIO/HQ=; b=aIjY3/1ecUEUWOlM7jUCswdhkOgnRj6QuHMrp+9yStFM28Bv5rWf4ZdVMWFbQdQoo2 XxHUWa4Zv7JkCWpq0McMVy5CqgA7o4Mptn65dAlRXg10OWXeEQk/movJFeUrPv3BMXmC aSFcwB5BFRnp+OK9l4lZN/rE43RCUZMYuZJNgIhiNVziwQe1jNG/3tN++PomjDZC6C1W SqgHtNFvtybqs5UKT0CQYrFbu/1WHA73nrETzjVKmMGRkU/KtDKswSj0FM9MnWjKd0bI b0djv1XpmqUv8/4r0m5xUEUhD9Pjk0jL2Qv6osxtg86QvBLOtxC+SRZv3Pg6fPwNy5qA vu5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=h8rYWVIaL8OzIv9C/EucSHVGhQlj4W8uIKSnZXIO/HQ=; b=hTt/0o3WU5YISWCbB6HQ5wP22ORqvLDs+aYMQs9tnqCzQKNkJCS/kUpfdTCn0psF82 08TaG9TBRYtKHzQpvU6ZxAGdRTwmAkxMAjT+b/cN+OzB+/RZbrcME8D0aHDo/AVh/HJ1 1tmMYcd57gQnlPD1D39coAOCp5J+FtKkF5DmMyfhEW7KPDcEezdvqsI5zSUYo0TqZqfY leN1FZBkLhqUYlnlnxmLgUnzkS+hdge/PjtRSUSyQMqkuomXV5w+kwS7wVTz89519d++ QWqlonFT3PHF2VTBKCjE7SrndcBYyDz9quNzl0zRnsjvmwdPeiXZgWG+8lq4so3MAUWL 4uQQ==
X-Gm-Message-State: AIVw1131Ju6qmqXiN/BnfB7RhU2Ol8nj/uD/RYjKQ0d8tsq2HdHqNzO/ sFCgnoyioLVqK2uzICIx0VYWaGGa17oG
X-Received: by 10.200.53.151 with SMTP id k23mr1839264qtb.104.1499658557772; Sun, 09 Jul 2017 20:49:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.185.157 with HTTP; Sun, 9 Jul 2017 20:49:16 -0700 (PDT)
In-Reply-To: <CABcZeBMfY2TN0rQMt3n8FDSAKOxjkt-nKoWQF7Q2O7nZ4azaaA@mail.gmail.com>
References: <CABkgnnW8nnoRGKoJQ4STAcT6CXdWFRCpz0h20hw+ksfw1x0PGg@mail.gmail.com> <6d4b76c9b42848f1b18c42ba22895993@usma1ex-dag1mb1.msg.corp.akamai.com> <CABcZeBM-qh+iW_+Br2URpdjHsLZ_L1xqZWUVirW-8-E7k4cvzg@mail.gmail.com> <564f297f17424f34b4ba1e118ab6f62c@usma1ex-dag1mb1.msg.corp.akamai.com> <D4D564D0-73C6-45CA-9962-33106229DE02@bluepopcorn.net> <220DB06A-E06D-4DAF-ADE6-7536B6E43630@callas.org> <aeee2c9019114d9789a2cd768f0b15e1@usma1ex-dag1mb1.msg.corp.akamai.com> <F16764CE-D4C4-4A48-9779-37BC8C2D1261@bluepopcorn.net> <CADPMZDB03S5ffc3_Ker=h08japc2PGAbch3F=+jRL9ZBjCzs3w@mail.gmail.com> <CABcZeBNnVrgW7J2nr3ds+++Lau4LRxa2EG69vywyBmBu+uzuPw@mail.gmail.com> <CAOj=BA0W67AGpzRurd8ue8ZhgLesfb6rdnutLy4dVnqwfVSu9A@mail.gmail.com> <CABcZeBMfY2TN0rQMt3n8FDSAKOxjkt-nKoWQF7Q2O7nZ4azaaA@mail.gmail.com>
From: Peter Goldstein <peter@valimail.com>
Date: Sun, 09 Jul 2017 20:49:16 -0700
Message-ID: <CAOj=BA21u5TvwazJSi7tcRY-E9Q-AiX-yM329nLuUk85SWB4zw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: denis bider <denisbider.ietf@gmail.com>, Jim Fenton <fenton@bluepopcorn.net>, "Salz, Rich" <rsalz@akamai.com>, "dcrup@ietf.org" <dcrup@ietf.org>, Martin Thomson <martin.thomson@gmail.com>, Jon Callas <jon@callas.org>
Content-Type: multipart/alternative; boundary="001a113eced49ee9450553ee7738"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/Q1dRabZejUkXLbo3GYNP5R7z48k>
Subject: Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypto-03
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jul 2017 03:49:20 -0000

>
> Support for larger keys isn't the issue at hand.  The issue is the 255
>> character limit imposed by the DNS crudware.  And I think keys for each of
>> those curves easily fit under the limit.
>>
>

> I'm referring to the claim that hashing doesn't provide any value. For any
>> curve > 256 bits, it does.
>
> Nope, that's the wrong limit in this case.  By itself we have no interest
in whether the hashed key is smaller than the key itself.  Using a hashed
key is always a loss on space (need to include the full key on each
message), time/CPU (computing the hash) and complexity - even when the
hashed key is smaller than the key itself.  It's always a loss - the
question is whether the loss has any offsetting value.

Hashing only provides value if the base64 encoded public key pushes the
record over the 255 byte limit.  The point of my math was to show that the
larger key size EC algorithms work fine within this limit without hashing.
There is a limit, but it's higher than the key size for all plausible EC
algorithms likely to be introduced in the next decade.

If we didn't have to deal with the 255 limit, we wouldn't be talking about
hashing RSA 2048.  We'd just use a bigger key with the existing format and
algorithm and be done with it.  We wouldn't even need a new RFC (support
for 2048 bit keys is required by RFC 6376
https://tools.ietf.org/html/rfc6376#section-3.3.3)

There was zero interest in adding fingerprinting for RSA 1024 bit keys -
even though the fingerprint would be much smaller than the key.  The
existing format works fine for these keys.  So it's safe to say we could
handle any EC curve <= 1024 bits without fingerprinting.

The value of the hashing is entirely in its ability to help DNS
administrators avoid this 255 byte limit.  And my point is that for the
likely alternatives that would be added in the future, larger key RSA
aside, hashing adds no value.

Best,

Peter