IETF Logo Mail Archive

Re: [Dcrup] Working Group Last Call for draft-ietf-dcrup-dkim-crypto

Scott Kitterman <sklist@kitterman.com> Tue, 06 February 2018 04:58 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E2CD126BFD for <dcrup@ietfa.amsl.com>; Mon, 5 Feb 2018 20:58:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kitterman.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kppH25Fm2cBk for <dcrup@ietfa.amsl.com>; Mon, 5 Feb 2018 20:58:30 -0800 (PST)
Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [IPv6:2607:f0d0:3001:aa::2]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAED21200C1 for <dcrup@ietf.org>; Mon, 5 Feb 2018 20:58:29 -0800 (PST)
Received: from kitterma-e6430.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id C82F5C40245 for <dcrup@ietf.org>; Mon, 5 Feb 2018 22:58:28 -0600 (CST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=201409; t=1517893108; bh=Wwg2cMsty7cWYXzFlBkz/4TsKK/Efsjo4YLIM5e8dVQ=; h=From:To:Subject:Date:In-Reply-To:References:From; b=w1KpGGjSKvp/31oRlGfQfdob+0uwMFOq0MGRJ/BP6JTVPO8tGkUvd9em+z/WpIaCm dkqTU6OhwWyTF+INak/3FzfdbpckPyXtalsfCA14IaU877XjJjRu2UFPTkq1efrQx/ e1knnatYJwMGmXG+qizc5vuGPurK784WhX3zeqHA=
From: Scott Kitterman <sklist@kitterman.com>
To: dcrup@ietf.org
Date: Mon, 05 Feb 2018 23:58:27 -0500
Message-ID: <2552161.vR27snHKBu@kitterma-e6430>
User-Agent: KMail/4.13.3 (Linux/3.13.0-139-generic; KDE/4.13.3; x86_64; ; )
In-Reply-To: <2046656.8I2TqWBbc6@kitterma-e6430>
References: <CAL0qLwb_WHM_e2odpc6gL2birKvVCKGpTpnW0oO_OUqWwFuo_g@mail.gmail.com> <2005843.OrHkAfkQ5T@kitterma-e6430> <2046656.8I2TqWBbc6@kitterma-e6430>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/bXo1LFB05bweUUeCQETRT9c2nOk>
Subject: Re: [Dcrup] Working Group Last Call for draft-ietf-dcrup-dkim-crypto
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2018 04:58:32 -0000

In addition to my remaining last call comments (particularly #1 below), I have 
an additional change to suggest.

Currently the draft has:

> 3.  Ed25519-SHA256 Signing Algorithm
> 
>    The ed25519-sha256 signing algorithm computes a message hash as
>    defined in section 3 of [RFC6376], and signs it with the Hash variant
>    of Ed25519, as defined in in RFC 8032 section 5.1 [RFC8032].  The
>    signing algorithm is HashEdDSA.

I think this needs to be reworded for clarity (based on our current 
confusion).    I would suggest this (combining my previous LC comment and 
trying to clarify the current issue):

> The Ed25519-SHA256 Signing Algorithm computes a message hash as described
> in Section 3.7  of [RFC6376] using SHA-256 [FIPS-180-3-2008] as the
> hash-alg and signs it with Ed25519, as defined in in RFC 8032 section 5.1
> [RFC8032].  Example keys and signatures below are based on RFC 8032
> section 7.1.

It's unfortunate that the term Ed25519 is overloaded in RFC 8032, so it's not 
easy to specify.  By specifying when example set we used for our example keys, 
it'll make it clear which the draft means.

Scott K

On Monday, January 22, 2018 11:38:38 PM Scott Kitterman wrote:
> I know the last call was a long time ago and so it'd be easy to have
> forgotten, but I think points 1 and 2 are still germane.  It would also
> still be nice to see a sample signature included.
> 
> Scott K
> 
> On Friday, December 01, 2017 06:57:31 PM Scott Kitterman wrote:
> > On Friday, December 01, 2017 11:45:50 AM Murray S. Kucherawy wrote:
> > > Colleagues,
> > > 
> > > We hereby begin Working Group Last Call for
> > > draft-ietf-dcrup-dkim-crypto,
> > > to end December 15th.  Please review the document and post the
> > > (preferably
> > > at least somewhat detailed) results of your reviews to the list or to
> > > the
> > > chairs and author by end of that day.  Assuming no major revisions or
> > > discussion are needed, we hope to have this shipped to Alexey by the
> > > beginning of the December holidays.
> > 
> > I've reviewed the document (and started working on implementation).  I
> > think it is generally ready to go, but I have four comments:
> > 
> > 1.  The existing RFC 6376 signature algorithms specify what to use for
> > hash- alg.  That's missing from the Ed25519-SHA256 definition in section
> > 3.  As implied by the name (and discussed on the list), the hash-alg
> > should be SHA256.  Recommend replacing the leading sentence phrase in
> > section 3 with:
> > 
> > The Ed25519-SHA256 Signing Algorithm computes a message hash as described
> > in Section 3.7  of [RFC6376] using SHA-256 [FIPS-180-3-2008] as the
> > hash-alg, ...
> > 
> > This matches the way other signing algorithms are described in RFC 6376.
> > 
> > 2.  For clarity, per some of the IETF LC feedback on
> > draft-ietf-dcrup-dkim-
> > usage, recommend adding after the main body of section 3 and before the
> > note:
> > 
> > This is an additional DKIM signature algorithm added to Section 3.3 of
> > [RFC6376] as envisioned in Section 3.3.4 of [RFC6376].
> > 
> > 3.  Private key storage format
> > 
> > Unlike RSA, Ed25519 does not appear to have a standardized textual format.
> > I think it might make sense to specify that for DKIM Ed25519 purposes the
> > private key is stored as the base64 encoded output of the RFC 8032 Section
> > 5.1.5 private key generation processes.  This would provide a (slightly)
> > human readable private key representation that could be used by different
> > implementations so that operators can safely switch implementations
> > without
> > regenerating keys and that are more understandable for trouble shooting
> > purposes.
> > 
> > 4.  Examples
> > 
> > It would be nice to have at least one signing example for implementers to
> > use to verify correctness.  I currently have either a signing bug or a
> > verification bug in my work and I'm not sure which.  If I had a known
> > correct example to bounce my signing results against, that would help a
> > lot.
> > 
> > Scott K
> > 
> > _______________________________________________
> > Dcrup mailing list
> > Dcrup@ietf.org
> > https://www.ietf.org/mailman/listinfo/dcrup
> 
> _______________________________________________
> Dcrup mailing list
> Dcrup@ietf.org
> https://www.ietf.org/mailman/listinfo/dcrup

v2.23.0 | Report a Bug | By Email