Re: [Dcrup] key rotation, was Is there anything this WG wants to do not yet in draft-ietf-dcrup-dkim-crypto-01 ?

"John R Levine" <johnl@taugh.com> Tue, 20 June 2017 19:15 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3C2B128D2E for <dcrup@ietfa.amsl.com>; Tue, 20 Jun 2017 12:15:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.791
X-Spam-Level:
X-Spam-Status: No, score=-1.791 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=iecc.com header.b=JeY/vFwg; dkim=neutral reason="invalid (public key: not available)" header.d=taugh.com header.b=nyknc3Dk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gfWoy5My2AbA for <dcrup@ietfa.amsl.com>; Tue, 20 Jun 2017 12:15:17 -0700 (PDT)
Received: from miucha.iecc.com (www.iecc.com [IPv6:2001:470:1f07:1126::4945:4343]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B2DD1241FC for <dcrup@ietf.org>; Tue, 20 Jun 2017 12:15:17 -0700 (PDT)
Received: (qmail 48489 invoked from network); 20 Jun 2017 19:15:16 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=bd67.59497444.k1705; bh=45eiRF0Cp/wFxk92vhvYIHpOOCQldCOtWAil/kbKBP4=; b=JeY/vFwg/24lKgsak0tPKs14B57qGEodCuUauDR1CZ2hAuFYvv4uHjE8nxZcb8IdaC+mJUWsKjC6S7lrRLL4piWyuuOkneARaOaN5h7n1hQ8RY4+PbY8tIc75NmUyBfwB96GwPD/+v6VYtNlTIFJdCGPnV7ig8Y0H2T/Jhbl/vGt7jonvaBFQN31Q9/u1pibcpTRCD7k+7n/d0zJh35GO+7t+6FT8fPBxXbd7n+ZSaVrsttQuoPFntHQnz3+lwv3
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=bd67.59497444.k1705; bh=45eiRF0Cp/wFxk92vhvYIHpOOCQldCOtWAil/kbKBP4=; b=nyknc3DkILIZiDzsA9D7cMCd1wqFXtRqzWv44BZxHineDTOTQuHT9qo2OXNU+FNu0JLp5Eib2CkL7vbgYa2UnIWfu5hk7tWJYNsNv+3p2rQsddojToMYuno9PfZVMetg26GXJIT+f++fbSmHwbI2XIUnIrxrCEJnvw6osnSEPsL29rD/t1M7tFJJ/2a2xmNjIgw/a1ZBh6iolaY4Hqo/m7bKPjvdwf6XEhRNIV7IzRTb5mO/h6GPL7UlrUO6XtSW
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 20 Jun 2017 19:15:16 -0000
Date: Tue, 20 Jun 2017 15:15:16 -0400
Message-ID: <alpine.OSX.2.21.1706201500380.36511@ary.qy>
From: John R Levine <johnl@taugh.com>
To: Jon Callas <jon@callas.org>
Cc: "dcrup@ietf.org" <dcrup@ietf.org>
In-Reply-To: <F6E7F377-E312-45DC-9E61-94E6D0728232@callas.org>
References: <alpine.OSX.2.21.1706121103510.19565@ary.local> <20170619205309.10839.qmail@ary.lan> <c05aa9933039406d8401c1b1ca95437c@usma1ex-dag1mb1.msg.corp.akamai.com> <F6E7F377-E312-45DC-9E61-94E6D0728232@callas.org>
User-Agent: Alpine 2.21 (OSX 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/bqxt6HitaTXudqDjcVZqEMbwSZs>
Subject: Re: [Dcrup] key rotation, was Is there anything this WG wants to do not yet in draft-ietf-dcrup-dkim-crypto-01 ?
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jun 2017 19:15:19 -0000

On Tue, 20 Jun 2017, Jon Callas wrote:
> My biggest concern is about key rollover. I could, should, say more, but every time I write a page I get rantier than I wanted to be.
>
> Suffice it to say that removing and retiring keys (which is easy because 
> they're just in DNS, ...

We talked about this at the M3AAWG meeting.  The main reason that mail 
systems don't rotate keys is that rotating is hard because they're in the 
DNS.  In many organizations, the people who run the DNS are far awy from 
the people who run the mail, and the two groups are not friends.

A proposed hack is to publish two or three key records as CNAMEs that 
point at a DNS server the mail people control, and rotate the target 
records a few times a year.

In large organizations there's also the issue of updating all of the mail 
servers at roughly the same time, but the DNS management is apparently the 
hard part.

In any event, key rotation is a security issue rather than an 
interopration issue.  If you want I can ask the guy who proposed the 
CNAMEs if he'd like to write it up as an information draft.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly