IETF Logo Mail Archive

Re: [Dcrup] New algorithm availability was: Re: draft-ietf-dcrup-dkim-crypto-00

Scott Kitterman <sklist@kitterman.com> Fri, 19 May 2017 17:46 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 143E4129AB0 for <dcrup@ietfa.amsl.com>; Fri, 19 May 2017 10:46:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.698
X-Spam-Level:
X-Spam-Status: No, score=0.698 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kitterman.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UNzxTGjO_bE2 for <dcrup@ietfa.amsl.com>; Fri, 19 May 2017 10:46:29 -0700 (PDT)
Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BC20129AA0 for <dcrup@ietf.org>; Fri, 19 May 2017 10:46:29 -0700 (PDT)
Received: from kitterma-e6430.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 2BF4FC4010C for <dcrup@ietf.org>; Fri, 19 May 2017 12:46:28 -0500 (CDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=201409; t=1495215988; bh=LlmNxSGUjq2+OpTT8GC3VZetw0AYC/oHRCRvxHjZTZM=; h=From:To:Subject:Date:In-Reply-To:References:From; b=zyiR6Yxlwg5ccvnMjzH/nCjOL17yuxVsDD3MbAg+jo4S4NR3PD+Ok2U0SleL3wUTn MJBLOlQ5yzCIj5gFJ2JBGKH/eFsYbzT2xyw4g2XUBA3FAJkoGmbLYgDKqlt4fYkQHI RipNg9Azdmsd+u3gd0g1a12zVQPQWyN15Jc8dCgM=
From: Scott Kitterman <sklist@kitterman.com>
To: dcrup@ietf.org
Date: Fri, 19 May 2017 13:46:27 -0400
Message-ID: <4953918.gJaR4Uu6GM@kitterma-e6430>
User-Agent: KMail/4.13.3 (Linux/3.13.0-119-generic; KDE/4.13.3; x86_64; ; )
In-Reply-To: <4ff2a3a3ce94418489111c61aea21489@usma1ex-dag1mb1.msg.corp.akamai.com>
References: <20170519143049.4908.qmail@ary.lan> <4250639.jMYMH1ii8S@kitterma-e6430> <4ff2a3a3ce94418489111c61aea21489@usma1ex-dag1mb1.msg.corp.akamai.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/Qg01Gv93aToJYqmE28H1QRSABY8>
Subject: Re: [Dcrup] New algorithm availability was: Re: draft-ietf-dcrup-dkim-crypto-00
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 May 2017 17:46:30 -0000

On Friday, May 19, 2017 05:20:43 PM Salz, Rich wrote:
> > Generally, yes, but DKIM verifiers don't support it currently, so for this
> > purpose, not yet.
> 
> This issue of "we need to move forward; we have an installed base" is not
> new.  RSA2K doesn't fit in many DNS TXT records, so I think that will be an
> additional driver to upgrade.  You may disagree.

I agree there will be drivers to upgrade, but regardless of the drivers, 
upgrades take time.  I think we have two problems to address:

1.  What can be done within the scope of deployed software that was developed 
based on the RFC 6376 requirements (which can be deployed now)

2.  What should be done to modernize crypto for DKIM for the longer term that, 
while it will require software upgrades, will keep DKIM fit for purpose for a 
long (FSVO long) time.

I think they both are important.  I think the first one is really easy to 
specify and cross off the list (I am personally very interested in being able 
to tell people "No, I don't have to verify your 512 bit key.  RFC 6376 has 
been updated by RFC XXXX.  Please join the latter half of the second decade of 
the 21st century).

It's likely we disagree less than I infer you imagine.

Scott K

v2.23.0 | Report a Bug | By Email