Re: [Dcrup] Is there anything this WG wants to do not yet in draft-ietf-dcrup-dkim-crypto-01 ?
Scott Kitterman <sklist@kitterman.com> Tue, 20 June 2017 20:13 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF8651315C5 for <dcrup@ietfa.amsl.com>; Tue, 20 Jun 2017 13:13:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kitterman.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 630hqkbmLR3S for <dcrup@ietfa.amsl.com>; Tue, 20 Jun 2017 13:13:40 -0700 (PDT)
Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [IPv6:2607:f0d0:3001:aa::2]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A894129BA2 for <dcrup@ietf.org>; Tue, 20 Jun 2017 13:13:40 -0700 (PDT)
Received: from kitterma-e6430.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id C9C12C400E6 for <dcrup@ietf.org>; Tue, 20 Jun 2017 15:13:37 -0500 (CDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=201409; t=1497989617; bh=oaT4jH2LGqh60hPI38WuPMVDRNC01rcqsx7qnto3law=; h=From:To:Subject:Date:In-Reply-To:References:From; b=zze5tD4NUPBN7qyDvKDybRKIC0Pg0E50eN9XdVCirRKJpAtO1gaivd1HVXJgEpqTm lkiSq8p37Ha+JuqyzGPloXXRzv/jQVYBqVepcg56UIJFJNRjAVRyRzMWd2IR8TqJKv SIbHy76RY9rdTiaOW8DtoiVx8qPLGzZnmL+wWdlE=
From: Scott Kitterman <sklist@kitterman.com>
To: dcrup@ietf.org
Date: Tue, 20 Jun 2017 16:13:37 -0400
Message-ID: <1669306.WDH1r8A93p@kitterma-e6430>
User-Agent: KMail/4.13.3 (Linux/3.13.0-119-generic; KDE/4.13.3; x86_64; ; )
In-Reply-To: <alpine.OSX.2.21.1706201544520.36769@ary.qy>
References: <alpine.OSX.2.21.1706121103510.19565@ary.local> <10416754.S7IJN86VGL@kitterma-e6430> <alpine.OSX.2.21.1706201544520.36769@ary.qy>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/c_Xj53EekOKg_l9J6xFbtuqIytE>
Subject: Re: [Dcrup] Is there anything this WG wants to do not yet in draft-ietf-dcrup-dkim-crypto-01 ?
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jun 2017 20:13:42 -0000
On Tuesday, June 20, 2017 04:01:18 PM John R. Levine wrote: > > I think it's still not clear where the group lies on how dead we should > > kill rsa-sha1. I think the WG chairs are going to have to evaluate the > > consensus and let us know. Once that's done, converging on the correct > > wording should be ~easy (whether it ends up in my draft or John's). > > Given that we are not the Network Police, I don't see this as a very > meaningful questions We can tell people not to sign with sha-1 or to > verify sha-1 signatures, but we can't threaten them with penalties if they > ignore us. > > In practice, the known problems with sha-1 aren't yet very relevant to > short lived signatures like DKIM's since the cost of finding a collision > remains high, so signers can't be bothered to upgrade their signers. I > looked at the last 1000 signed messages I got from non-spam bulkish > mailers, and 354 of them still had sha1 signatures. They can't be > bothered to upgrade, and the IETF has no leverage. > > At some point I expect one of the big gorillas will decide to stop > accepting sha-1 and after a week of panic in the bulk mail community, > they'll all patch their signers and we'll never see another sha-1 > signature again. Right, and when the panic happens (which is, I agree, when this will change for real) I'd like for the engineer getting beat up by his boss to be able to say in response to the "Argh! What should be do" question from the PHB [1] "We need to upgrade our DKIM like it says in RFC XXXX" [2]. I think what you've proposed covers that. Scott K [1] The pointy haired boss (see Dilbert), not the other one. [2] Followed by a mostly silent "Like I've been telling you for a year."
- [Dcrup] combo update draft-ietf-dcrup-dkim-crypto… John R Levine
- Re: [Dcrup] combo update draft-ietf-dcrup-dkim-cr… Martin Thomson
- Re: [Dcrup] combo update draft-ietf-dcrup-dkim-cr… John R Levine
- Re: [Dcrup] combo update draft-ietf-dcrup-dkim-cr… Martin Thomson
- Re: [Dcrup] Is there anything this WG wants to do… John Levine
- Re: [Dcrup] Is there anything this WG wants to do… Salz, Rich
- Re: [Dcrup] Is there anything this WG wants to do… Eric Rescorla
- Re: [Dcrup] Is there anything this WG wants to do… John R Levine
- Re: [Dcrup] Is there anything this WG wants to do… Eric Rescorla
- Re: [Dcrup] Is there anything this WG wants to do… Jon Callas
- Re: [Dcrup] key rotation, was Is there anything t… John R Levine
- Re: [Dcrup] Is there anything this WG wants to do… Scott Kitterman
- Re: [Dcrup] Is there anything this WG wants to do… Scott Kitterman
- Re: [Dcrup] Is there anything this WG wants to do… John R. Levine
- Re: [Dcrup] Is there anything this WG wants to do… John R. Levine
- Re: [Dcrup] Is there anything this WG wants to do… Scott Kitterman
- Re: [Dcrup] Is there anything this WG wants to do… Peter Goldstein