IETF Logo Mail Archive

Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00

Steve Atkins <steve@blighty.com> Fri, 19 May 2017 18:01 UTC

Return-Path: <steve@blighty.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E6FF129AB0 for <dcrup@ietfa.amsl.com>; Fri, 19 May 2017 11:01:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.799
X-Spam-Level:
X-Spam-Status: No, score=0.799 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pYPm5VT9sMKc for <dcrup@ietfa.amsl.com>; Fri, 19 May 2017 11:01:02 -0700 (PDT)
Received: from mail.wordtothewise.com (mail.wordtothewise.com [184.105.179.154]) by ietfa.amsl.com (Postfix) with ESMTP id 4C4F9129458 for <dcrup@ietf.org>; Fri, 19 May 2017 11:01:02 -0700 (PDT)
Received: from [IPv6:2001:470:1f05:33:b068:b83d:5199:64e8] (unknown [IPv6:2001:470:1f05:33:b068:b83d:5199:64e8]) by mail.wordtothewise.com (Postfix) with ESMTPSA id 788CB23379 for <dcrup@ietf.org>; Fri, 19 May 2017 11:01:15 -0700 (PDT)
From: Steve Atkins <steve@blighty.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Fri, 19 May 2017 11:01:01 -0700
References: <20170519150639.5129.qmail@ary.lan>
To: dcrup@ietf.org
In-Reply-To: <20170519150639.5129.qmail@ary.lan>
Message-Id: <7C8DBA8A-F18E-450C-B4C9-D3784FB9E8C3@blighty.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/ZZb6aXnygsHcChHWug_8Kao5lbs>
Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 May 2017 18:01:05 -0000

> On May 19, 2017, at 8:06 AM, John Levine <johnl@taugh.com> wrote:
> 
> In article <B0689C30-3B55-49AB-892D-D0923831961D@kitterman.com> you write:
>>> Perhaps to read section 4 of the draft?
>> 
>> What currently available DKIM software supports that approach?  I don't think any, so I believe that the question of what operators should do until new software can be developed and deployed is still open.
> 
> None.  In fact, I am reasonably sure that 1K keys are plenty strong
> for DKIM for the next few years.  

Likely big enough for the near future, yes (and 1.5k keys for longer still, and even 2k keys are less than 400 bytes long, which still leaves plenty of space in a 512 byte response).

> As I noted, DKIM keys and signatures
> are intended to be short lived.

That was the plan, but in practice DKIM selectors (and presumably the associated key pairs) seem to be commonly deployed once, when the user sets up DKIM and never changed until the mail infrastructure is next updated.

The organizations represented here are probably better at key rotation than most and here I see selectors of "jan2016.eng", "20161025" and "ietf1", none of which suggest regular rotation.

They're not short-lived and (unless we somehow enforce key rotation) our crypto decisions should probably be informed by that.

Cheers,
  Steve

v2.23.0 | Report a Bug | By Email