Re: [Dcrup] I-D Action: draft-ietf-dcrup-dkim-usage-02.txt

"Murray S. Kucherawy" <superuser@gmail.com> Mon, 12 June 2017 03:25 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E68D12741D for <dcrup@ietfa.amsl.com>; Sun, 11 Jun 2017 20:25:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2_RsNJ_5nEaC for <dcrup@ietfa.amsl.com>; Sun, 11 Jun 2017 20:25:50 -0700 (PDT)
Received: from mail-ua0-x22b.google.com (mail-ua0-x22b.google.com [IPv6:2607:f8b0:400c:c08::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2DA612700F for <dcrup@ietf.org>; Sun, 11 Jun 2017 20:25:49 -0700 (PDT)
Received: by mail-ua0-x22b.google.com with SMTP id q15so51667820uaa.2 for <dcrup@ietf.org>; Sun, 11 Jun 2017 20:25:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=RwwNK2GqSL+QB3Ss1awyaRBzXqV3BXhnp2wGm5I5r5c=; b=MKTPVtI5B65B+Kq5De3prX8FTDDnpfUCh2UFw8xADEZhv0TFNrQvIV8hJsvFnGUHaa tAmZs46b88MUHkhj5N1huvP0pIJFvz9sbGqXWhE5x7zUDZ2gepZRucHmPgUKQzTyWfBu 4mvdSt12s/Eh5mEEFSKwSoKjcmXWUmSrg+3tesylYNMr1LbT3O+OoaiKZ7Pm2TK4MyIQ 9MFTKXWQyjINNNOSk04Unvf9VVQ7fDN6gx+plKCzfHphdGe3ANAArT4bS96IzRHsFfiW ok+2YqlaDbta6Ei6gMwKcYhXHX2KJwa0Quoq8v6r6T71q4dp+UKRITSM81jVyxJzAqDf EH4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=RwwNK2GqSL+QB3Ss1awyaRBzXqV3BXhnp2wGm5I5r5c=; b=OU7qOq0nMalsQwfx4j9VWztpVVumU3Jsp7NW5P0uvfhu0CYOsynSvD0YQO3qmUCDpe Uenuz2u9kakpjBphm0egx9sHFU9jG3IsBh2AyfIdcwu3mlPo1fLYmVWDcVbmL+tiOSfC yWVjmZAAIrVTCyT06ZO8Bo+6Ltbeb0NhH/HpEsbIFl7hHZfPhD3T24ahRJY3sH89NTSV +xpKdiMH9CK/VqFRzhxoJYDkExrGdxukNx1FwcH88FPcTwMGgdbzqgoh5zxP7Iv991Ut vzuDfF+yZtIKjNQg+xQgYmzmFv+a3tJEFcuUG1hhZcWOXQILXHlWtBdz7e7e8qqy83MD 9ZmA==
X-Gm-Message-State: AODbwcAbSWLB0qmMMeZDxoMecGmwnkmPCZmlqQC9vmXycErJYs2UMjlB LdCjyVuDVuTjfMzZ0/+fLXwXDXHtGg==
X-Received: by 10.176.77.230 with SMTP id b38mr31859505uah.76.1497237948956; Sun, 11 Jun 2017 20:25:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.138.3 with HTTP; Sun, 11 Jun 2017 20:25:48 -0700 (PDT)
In-Reply-To: <CABkgnnWfFR=33t+SF8j_fmQ5EN8LmgP_WyMs-Ga=9VQ2eEC40g@mail.gmail.com>
References: <149690083334.25644.8501543904193079634@ietfa.amsl.com> <CABkgnnWdaecFqcVMSNYy8F7Z1_ijYG9-Vt2cw+AHoedziRXHDA@mail.gmail.com> <30567530.MBenZTfLgc@kitterma-e6430> <CABkgnnWfFR=33t+SF8j_fmQ5EN8LmgP_WyMs-Ga=9VQ2eEC40g@mail.gmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Sun, 11 Jun 2017 20:25:48 -0700
Message-ID: <CAL0qLwZYO-=fz=qCt5V-kAAtf0+6qoSTU1wEp7go2PVSD0ZKiw@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Scott Kitterman <sklist@kitterman.com>, dcrup@ietf.org
Content-Type: multipart/alternative; boundary="f403043c34cc1784940551bae0dd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/Y_IAS5qKZc9J2kcSs9VSr32BSQw>
Subject: Re: [Dcrup] I-D Action: draft-ietf-dcrup-dkim-usage-02.txt
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jun 2017 03:25:52 -0000

On Sun, Jun 11, 2017 at 1:40 AM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> https://github.com/kitterma/draft-ietf-dcrup-dkim-usage/pull/1
>
> I think that I got the essence of your changes there.  And it's a lot
> shorter.
>

Can you explain what you mean by "rely on"?

Second, you can fit a key larger than 1024 bits in less than 256
> octets.  A 1536-bit key isn't that great, but it's a huge amount
> better than 1024.  I haven't done the math, but I'm sure that you
> could find a number that maximizes key length without blowing the 256
> octet limit.  This might be good advice to add (which would also mean
> that you can keep the paragraph).
>

Interesting.  And there's a bit of a variability since the key record can
have other stuff in it (3.6.1 of RFC6376) which reduces the amount of space
available for the "p=" value.

My possibly ignorant run at the math:
- my 1024-bit public key encodes to base64 in 217 characters
- there are 255 octets available in a character-string in a TXT record
- subtracting 10 from that for "v=DKIM1;p=" which are required, leaves 245
assuming there's no other cruft or spaces in the record
- for 217:1024 = 245:x, x=1156

So by that logic, you can put a 1156-bit key in a record now without
changing anything.  For anything bigger you will need multiple
character-strings in the TXT field which I believe is one of the things
John says doesn't fly in current provisioning software.

-MSK