Re: [Dcrup] I-D draft-ietf-dcrup-dkim-crypto-06

Jeremy Harris <jgh@wizmail.org> Tue, 21 November 2017 01:11 UTC

Return-Path: <jgh@wizmail.org>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C5801205F0 for <dcrup@ietfa.amsl.com>; Mon, 20 Nov 2017 17:11:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7tSPKZtRFeuU for <dcrup@ietfa.amsl.com>; Mon, 20 Nov 2017 17:11:42 -0800 (PST)
Received: from wizmail.org (wizmail.org [IPv6:2a00:1940:107::2:0:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D9BE1201FA for <dcrup@ietf.org>; Mon, 20 Nov 2017 17:11:41 -0800 (PST)
Received: from [2a00:b900:109e:0:df75:dcf5:c97b:6fad] (helo=localhost.localdomain) by wizmail.org with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89.122) id 1eGx6B-0002lz-79 for dcrup@ietf.org (return-path <jgh@wizmail.org>); Tue, 21 Nov 2017 01:11:39 +0000
To: dcrup@ietf.org
References: <20170914014118.2378.qmail@ary.lan> <m3vakl9rjx.fsf@carbon.jhcloos.org> <alpine.OSX.2.21.1709142029180.6872@ary.local>
From: Jeremy Harris <jgh@wizmail.org>
Message-ID: <383fef94-84c4-9b54-5566-a6fa1279aa38@wizmail.org>
Date: Tue, 21 Nov 2017 01:11:37 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <alpine.OSX.2.21.1709142029180.6872@ary.local>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Pcms-Received-Sender: [2a00:b900:109e:0:df75:dcf5:c97b:6fad] (helo=localhost.localdomain) with esmtpsa
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/WjurOaKnR0NCh2MCeClsegdvp3Y>
Subject: Re: [Dcrup] I-D draft-ietf-dcrup-dkim-crypto-06
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Nov 2017 01:11:44 -0000

On 15/09/17 01:32, John R Levine wrote:
>> JL> I haven't looked in detail at the APIs for Ed25519 crypto, but
>> naively
>> JL> assumed that if the spec says there's a pure version that doesn't
>> hash
>> JL> its input, the libraries would implement it.
>>
>> I thought that the consensus was the opposite.  Wasn't esr demanding
>> that and everyone else arguing the opposite?
> 
> No, that was an unrelated issue of how to publish the verification keys.
> See the WG archives.
> 
>> It is certainly the case the the "pure" version of eddsa is unlikely to
>> get much support by the crypto libraries.
> 
> That seems strange, since the difference between pure and hash is that
> the pure version just skips the hash.  But if it is really the case that
> it will be hard to find pure versions it would be silly buy harmless to
> change the spec to say that it calls the hash version of Ed25519 so it
> rehashes the hash we give it.
> 
> As far as I know rehashing a hash with a reasonable second hash function
> doesn't make it any weaker.

Wouldn't it be more aesthetically pleasing to decouple, for dkim
a=ed25519-sha256 signing, the hash used for the body (sha256 as
specified by the 'a' tag) from the hash used for signing headers
(sha512, I think, but whatever the libraries have tied to
Ed25519 signing)?

[I think we should specify the hash method that goes with
 the signing, too]

The hash of the headers does not appear to be used for anything
but debug output and feeding to the signing stage, at least in
the current Exim implementation of dkim signing.  Doing the
above would avoid the rehash.  Either way (this or the rehash),
Ed25519 signing is going to be different to RSA signing.
-- 
Cheers,
  Jeremy