IETF Logo Mail Archive

Re: [Dcrup] Hashed Key Records

Steve Atkins <steve@blighty.com> Thu, 22 June 2017 23:51 UTC

Return-Path: <steve@blighty.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B9EE127369 for <dcrup@ietfa.amsl.com>; Thu, 22 Jun 2017 16:51:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U4xsduAKuvfp for <dcrup@ietfa.amsl.com>; Thu, 22 Jun 2017 16:51:53 -0700 (PDT)
Received: from mail.wordtothewise.com (mail.wordtothewise.com [IPv6:2001:470:1:6d::9a]) by ietfa.amsl.com (Postfix) with ESMTP id 47791129493 for <dcrup@ietf.org>; Thu, 22 Jun 2017 16:51:53 -0700 (PDT)
Received: from satsuke.wordtothewise.com (204.11.227.194.static.etheric.net [204.11.227.194]) by mail.wordtothewise.com (Postfix) with ESMTPSA id E96DD23379 for <dcrup@ietf.org>; Thu, 22 Jun 2017 16:52:10 -0700 (PDT)
From: Steve Atkins <steve@blighty.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Thu, 22 Jun 2017 16:51:52 -0700
References: <2793611.63lxTaCm4r@kitterma-e6430> <CAMm+Lwiu=bkQTmQsaaM6_-_kcPi6DEH3VPnJfB=3jDRtiGSyaQ@mail.gmail.com>
To: dcrup@ietf.org
In-Reply-To: <CAMm+Lwiu=bkQTmQsaaM6_-_kcPi6DEH3VPnJfB=3jDRtiGSyaQ@mail.gmail.com>
Message-Id: <29347FB0-BFF6-42C4-B489-302342F6F2C0@blighty.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/REazzRQF4dUaK0TDNl0oNvhOg94>
Subject: Re: [Dcrup] Hashed Key Records
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jun 2017 23:51:55 -0000

> On Jun 22, 2017, at 4:44 PM, Phillip Hallam-Baker <phill@hallambaker.com> wrote:
> 
> I would really like to get to a point where we could use one fingerprint format everywhere. This would then allow fingerprints to be cut and pasted from one place to another.

+1.

> 
> When I suggest we do something of this sort, people say 'write a draft'. Once I write a draft they say I am peddling my proposal. So pretend that I don't have a draft yet. These are the features I think are needed:
> 
> 1) Use Base32 encoding. 
> 
> DNS labels are case insensitive. Using fingerprints in DNS labels is very powerful. It allows DANE like effects without the need for DANE records or DNSSEC.
> 
> 2) Incorporate the algorithm identifier into the fingerprint, do so in a way that ensures a Base32 fingerprint will never be confused with a PGP fingerprint.
> 
> 3) Include a description of the content type in the target of the fingerprint. This prevents semantic substitution attacks.
> 
> 4) Allow for optional grouping of characters to encourage readability.

(and maybe be specific about what embedded whitespace means)

These all seem good features..

I'm reminded of the $1$... style password hashes. Immediately recognizable in
general, but including enough embedded information that you know which
spec to follow.

Cheers,
  Steve

v2.29.0 | Report a Bug | By Email | System Status