IETF Logo Mail Archive

Re: [Dcrup] Ben Campbell's Yes on draft-ietf-dcrup-dkim-usage-04: (with COMMENT)

Hector Santos <hsantos@isdg.net> Tue, 24 October 2017 02:54 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89ED8138BCD for <dcrup@ietfa.amsl.com>; Mon, 23 Oct 2017 19:54:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=fe3d86u1; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=SezKz7ws
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r9bPg3JwqKQ3 for <dcrup@ietfa.amsl.com>; Mon, 23 Oct 2017 19:54:31 -0700 (PDT)
Received: from winserver.com (pop3.winserver.com [76.245.57.69]) by ietfa.amsl.com (Postfix) with ESMTP id 7AFB213B18D for <dcrup@ietf.org>; Mon, 23 Oct 2017 19:54:31 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=1378; t=1508813669; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=BrQs5LO2s+AbQyZizFQmq7JEwvo=; b=fe3d86u14vBW6SjFKseQor2gIa3ZO3r3wr921Pb1opnnnv+txT+Wz4Nk/q4sYr /qOZFt/FHovLXENrkq1QoiHnZcvylXpzD+6IHxUJ1PKeysFNT7msyS4r78Bl7WUN +kBrxYlbiJ/0qxDttPs8X0t02cbDwSw0z5GOffkzT/IbU=
Received: by winserver.com (Wildcat! SMTP Router v7.0.454.6) for dcrup@ietf.org; Mon, 23 Oct 2017 22:54:29 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=pass policy=all author.d=isdg.net asl.d=beta.winserver.com;
Received: from beta.winserver.com ([76.245.57.74]) by winserver.com (Wildcat! SMTP v7.0.454.6) with ESMTP id 2977396768.1.3752; Mon, 23 Oct 2017 22:54:28 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=1378; t=1508813571; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=WYQkcUl Lmagu0RatLSinzdgUbmSqhcB1HcUfKC68ut4=; b=SezKz7wsQbEWCjO2/pQnOXe UfTOp+G35Pl/rI464oWsuyWGrxJUQlXlbp7qbU1NeenkoVSMikQrsOY+xiFRVNFd jigIxy0w73dTzVsYZespGtKkzs9pGpELagZl5pcyXnILfAeNbxKWhsOr+zrcHUdA KvRyOLC4cvG6SzEE36Sc=
Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.6) for dcrup@ietf.org; Mon, 23 Oct 2017 22:52:51 -0400
Received: from [192.168.1.68] ([99.121.5.8]) by beta.winserver.com (Wildcat! SMTP v7.0.454.6) with ESMTP id 2977378937.9.128392; Mon, 23 Oct 2017 22:52:50 -0400
Message-ID: <59EEAB61.4040504@isdg.net>
Date: Mon, 23 Oct 2017 22:54:25 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: dcrup@ietf.org
References: <150656461384.13748.13197533071257342162.idtracker@ietfa.amsl.com> <CAL0qLwbN0O5zenpNtR3YA=v-Tqs5MpF-GbRdDmJB2WMa6eD5YQ@mail.gmail.com> <CABkgnnVs8tei_51has5WRO9CFceMLpVYHTVJVXPnFL3wp2drzg@mail.gmail.com>
In-Reply-To: <CABkgnnVs8tei_51has5WRO9CFceMLpVYHTVJVXPnFL3wp2drzg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/Zt6XRxTEFVZxT_11Ms1dFNC8wAU>
Subject: Re: [Dcrup] Ben Campbell's Yes on draft-ietf-dcrup-dkim-usage-04: (with COMMENT)
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Oct 2017 02:54:33 -0000

On 10/19/2017 4:40 AM, Martin Thomson wrote:
> On Thu, Oct 19, 2017 at 6:35 PM, Murray S. Kucherawy
> <superuser@gmail.com> wrote:
>>> -4: "Verifiers MUST verify using rsa-sha256."
>>>
>>> Should this say "...MUST be able to..."? That is, am I correct in assuming
>>> that
>>> a verifier will use the scheme specified by the signer if it is capable of
>>> doing so, and that it doesn't make sense to try to verify with rsa-sha256
>>> if
>>> the signer used something else?
>>
>>
>> I see Ben's point, and "MUST be able to..." sounds reasonable to me.  I
>> think this also addresses Jari's GEN-ART point (to which Mirja alluded), and
>> his "MUST implement" suggestion also seems reasonable to me.
>>
>> What does the WG prefer?
>
> I saw the original requirement as stipulating a policy requirement in
> addition to an implementation requirement.  That is, verifiers need to
> insist on a valid rsa-sha256 signature or the message is considered
> unverified.

+1, but I believe the policy requirement is the DKIM signer domain 
insisting via the public key record using a "h=sha256" tag.  The 
verifier should be ready to invalidate a DKIM sha1 signed message with 
a hash policy mismatch result/error. An SMTP Verifier spawning a 
dynamic DKIM-related protocol check at the DATA state can return a 
permanent negative response code, i.e. 55z.

-- 
HLS

v2.23.0 | Report a Bug | By Email