Re: [Dcrup] Time For People To Really Stop Using SHA-1 Signatures?

Hector Santos <hsantos@isdg.net> Tue, 14 January 2020 17:44 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC7E41208E7 for <dcrup@ietfa.amsl.com>; Tue, 14 Jan 2020 09:44:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=QHNPsV3v; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=FhNM5vA9
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H2hOBSWGDOQ0 for <dcrup@ietfa.amsl.com>; Tue, 14 Jan 2020 09:44:01 -0800 (PST)
Received: from mail.winserver.com (pop3.winserver.com [76.245.57.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BA291200EC for <dcrup@ietf.org>; Tue, 14 Jan 2020 09:44:01 -0800 (PST)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=796; t=1579023830; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=li2MT5vfOkvoBCyD20BYJq7XOKQ=; b=QHNPsV3vEh70V8uglYVCzb8uqy8lQIZzV+Vc1uaAT61cJiydMYyLFc7rMPLBtk HanlYTygSekR0tqLpEmjsRD7kvxZbR4P+JiR/U6oljZAN6r8y+/Smkf0oCwZ7VXW 05StLpqeuEVTZ0Eh8KTSImyYZLbsQHO3yEPYCnLlTmihk=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.9) for dcrup@ietf.org; Tue, 14 Jan 2020 12:43:50 -0500
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([76.245.57.74]) by winserver.com (Wildcat! SMTP v8.0.454.9) with ESMTP id 2636185929.1.2388; Tue, 14 Jan 2020 12:43:49 -0500
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=796; t=1579023633; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=bNrlyEw yfc39xBUQFtEoExN5y5h4UHEV2+GmAdLi1zY=; b=FhNM5vA9DMQbvGDyk5TkyGA Irde+VNq2GOYazXS/u5y0qT3TQG+6pLCIrgizuHeN56X64BnLfzZrlZ0A4jKX45W P3b1qlPgKYfeNOSsKopKLsETI8sImGrJSFSogjjON83x//nrvkVpcgRr80DatjpD jqO6IO66RPOFzB/O4+Ng=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.9) for dcrup@ietf.org; Tue, 14 Jan 2020 12:40:33 -0500
Received: from [192.168.1.68] ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.9) with ESMTP id 3198813968.1.11196; Tue, 14 Jan 2020 12:40:33 -0500
Message-ID: <5E1DFDD3.5010600@isdg.net>
Date: Tue, 14 Jan 2020 12:43:47 -0500
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: dcrup@ietf.org
References: <1836468.B6t98xBJ9D@l5580> <5E1DD3B8.5030507@isdg.net> <2930903.4jkiU04MHV@l5580> <9344656.UHueZpf3bW@l5580>
In-Reply-To: <9344656.UHueZpf3bW@l5580>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/YqXZjmXCgpeTO21pjApYc73seOc>
Subject: Re: [Dcrup] Time For People To Really Stop Using SHA-1 Signatures?
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2020 17:44:03 -0000

On 1/14/2020 9:58 AM, Scott Kitterman wrote:

> At some point you are going to have to actually implement sha-256:

Our Wildcat! DKIM package included SHA256 since day one

> DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1;
>
> You're close to a decade and a half late.

Hmmm, I believe you knew the above and the reasons why I have SHA1 here.

SHA1 was intentional set for my isdg.net domain -- on purpose.  I 
wanted to see where were these clobbering problems.  Where is this 
SHA1 clobbering in the last 15 years?   Use this this "new method" on 
my mail.

Again, I always supported the deprecation - verify support.  I don't 
support outright pulling of SHA1 from DKIM specification, nor APIs. 
OpenSSL would be making a major "internet hurting" mistake if they do.

-- 
HLS