Re: [Dcrup] I-D draft-ietf-dcrup-dkim-crypto-06

"John R Levine" <johnl@taugh.com> Fri, 15 September 2017 00:32 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5009126B7E for <dcrup@ietfa.amsl.com>; Thu, 14 Sep 2017 17:32:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=kKATVxKp; dkim=pass (1536-bit key) header.d=taugh.com header.b=Pd4fuGy7
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ST69k5JUQQtO for <dcrup@ietfa.amsl.com>; Thu, 14 Sep 2017 17:32:54 -0700 (PDT)
Received: from gal.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1536913293A for <dcrup@ietf.org>; Thu, 14 Sep 2017 17:32:53 -0700 (PDT)
Received: (qmail 63063 invoked from network); 15 Sep 2017 00:32:52 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=f655.59bb1fb4.k1709; bh=K3h7luez+P565KrlKl73fs8MTJAFPD1EGyNhx4C0J7U=; b=kKATVxKpcFBpCc9L20AWO4/KQeJmkiCPJ3iQczDTAGzwq0szmeMvMJv+Iu9vnQwING554W78CavpGF8EHc5IML8kDtMcDHbnrEgvvdfdVeABduuQtGF2xKuYHfonrgOx/iZ5gWxZltuf7w3oxnU6BJxc9Wi+LaGa7FeoJO9dknVjVA9VHiodvDMpnE65Et3e9aebK3EWLXOVGY6uBFozxi/Uhwhy4DVJ/4jPMORCsPUhZVOIrIjIH0FHAmgN70dJ
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=f655.59bb1fb4.k1709; bh=K3h7luez+P565KrlKl73fs8MTJAFPD1EGyNhx4C0J7U=; b=Pd4fuGy73Ff7ZBSEE+v8EEJQ/kX1//tckF+auvDda4Q3+XDRp43NG/ETSsnyJLcvw+7Vd7Wii5cvmDYH6vvo8jCEciBxvIjvGArVzlQy/kWPNTxhMkguURUaPXLKNjq6+UuZGZbNzNiEkyVYIEx/4q16txPEbVdU2WdE4PwBiVQt+tydAcMJjPNCPASF5mSQ+vYocVdIFaCWUiFNRZQzU1atwp2N1pypDrepObNR16hJFRooKHmtpL8/pD/lxHFH
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 15 Sep 2017 00:32:52 -0000
Date: Thu, 14 Sep 2017 20:32:52 -0400
Message-ID: <alpine.OSX.2.21.1709142029180.6872@ary.local>
From: John R Levine <johnl@taugh.com>
To: James Cloos <cloos@jhcloos.com>
Cc: dcrup@ietf.org
In-Reply-To: <m3vakl9rjx.fsf@carbon.jhcloos.org>
References: <20170914014118.2378.qmail@ary.lan> <m3vakl9rjx.fsf@carbon.jhcloos.org>
User-Agent: Alpine 2.21 (OSX 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/_Ua54fFqvDPoDZ4wxJvAMNHMAKo>
Subject: Re: [Dcrup] I-D draft-ietf-dcrup-dkim-crypto-06
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Sep 2017 00:32:56 -0000

> JL> I haven't looked in detail at the APIs for Ed25519 crypto, but naively
> JL> assumed that if the spec says there's a pure version that doesn't hash
> JL> its input, the libraries would implement it.
>
> I thought that the consensus was the opposite.  Wasn't esr demanding
> that and everyone else arguing the opposite?

No, that was an unrelated issue of how to publish the verification keys. 
See the WG archives.

> It is certainly the case the the "pure" version of eddsa is unlikely to
> get much support by the crypto libraries.

That seems strange, since the difference between pure and hash is that the 
pure version just skips the hash.  But if it is really the case that it 
will be hard to find pure versions it would be silly buy harmless to 
change the spec to say that it calls the hash version of Ed25519 so it 
rehashes the hash we give it.

As far as I know rehashing a hash with a reasonable second hash function 
doesn't make it any weaker.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly