IETF Logo Mail Archive

Re: [Dcrup] Adam Roach's No Objection on draft-ietf-dcrup-dkim-usage-04: (with COMMENT)

Brandon Long <blong@fiction.net> Tue, 24 October 2017 23:46 UTC

Return-Path: <blong@fiction.net>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1554F139950 for <dcrup@ietfa.amsl.com>; Tue, 24 Oct 2017 16:46:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Level:
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fiction.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2U4z3sK0FXGX for <dcrup@ietfa.amsl.com>; Tue, 24 Oct 2017 16:46:31 -0700 (PDT)
Received: from mail-qt0-x22a.google.com (mail-qt0-x22a.google.com [IPv6:2607:f8b0:400d:c0d::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DA331394E4 for <dcrup@ietf.org>; Tue, 24 Oct 2017 16:46:31 -0700 (PDT)
Received: by mail-qt0-x22a.google.com with SMTP id 8so32696465qtv.1 for <dcrup@ietf.org>; Tue, 24 Oct 2017 16:46:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fiction.net; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=BkuoZ30lWquHHUXACJFyBj4U/GjCybpchxuMi1co5+I=; b=F53aNyHkQ7WJZjvH7aMIoGsnP1BYUhdqvPjt/++xvXeFIkGBQW1XYEAj5W/cPF6feF hMDE02dLNaK0L/yC28PtvAdlAOrv+XsASxFZwrWt1P9/dbM+55MWw45YjTMzcPF6u5xU 1TwdSEH6XO5l3IyVnQ3kVsve2nMeQxZPIDPX68BWeg2KQxtDqxi2CPktaGJcq6qWBcc7 3IC1UvCHHbA1HOFy2jf77vq/JygYEiaSfxz5ZCNCKVKXCEsegzJcbbW7Nkra+adN8qgI hTjjZUjblTQsB1j36+Ydgl0sScDvhyyURCbLXAz+DlYzxlgUrFYHojc3OtSXA0G80p5J 4/8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=BkuoZ30lWquHHUXACJFyBj4U/GjCybpchxuMi1co5+I=; b=qiTO6Z3CcnTmWGSDcfySn6CNUmy7tCsl69E36mr72bw63OOohdPVxygYIfpS4x5dGm LnGJk86sKeWJ6p2FVnn6VTkKlG+nxr51kcIs+9m8SgUvbTnhtjbVD3kHPvcTfdi/INTi kxtKCSzoQX92QM2p8QkXL2RFiLMxNkipG0b6vPpvayd9NpcmeFnB40QsKJY4bmHOe6OL HQh1h4Y5tBLL6KFoq/J9whi+DUnfZ2YF0a0X1TzRTckpPvbMleJaTfZptc6leAnG29zX +jOXKJch5sGaLaDUEAWbLWKFLpgU+sITts10vurauYmGtESnfekK88rxrbqFEMM0WZHs RF0A==
X-Gm-Message-State: AMCzsaXurRxf1Zs54wXFM7wHN0P0fPPwN+z5fXu7H5wWXSNOah8nFMve QHKSdtGmXGvrHb4+nrvfcBhiVsgP
X-Google-Smtp-Source: ABhQp+SciR6DiqFf9fOQVqkNLPXJg70Zziwler68FKswWTrGxH+3hp3GsNf5hdTiOJPczPSt6kfrxQ==
X-Received: by 10.200.26.15 with SMTP id v15mr6514729qtj.62.1508888790455; Tue, 24 Oct 2017 16:46:30 -0700 (PDT)
Received: from mail-qt0-f176.google.com (mail-qt0-f176.google.com. [209.85.216.176]) by smtp.gmail.com with ESMTPSA id o71sm1008476qka.74.2017.10.24.16.46.29 for <dcrup@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 24 Oct 2017 16:46:29 -0700 (PDT)
Received: by mail-qt0-f176.google.com with SMTP id d9so25877438qtd.7 for <dcrup@ietf.org>; Tue, 24 Oct 2017 16:46:29 -0700 (PDT)
X-Received: by 10.200.34.182 with SMTP id f51mr26584431qta.167.1508888789078; Tue, 24 Oct 2017 16:46:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.101.205 with HTTP; Tue, 24 Oct 2017 16:46:28 -0700 (PDT)
In-Reply-To: <CABuGu1pVBARKZBxVR=Sgkb_kB-CuPrHEPqUxZs57HpmABOpi9A@mail.gmail.com>
References: <150649085207.24995.1867894975380491185.idtracker@ietfa.amsl.com> <CAL0qLwYiuq3Pt80pkQc5RNr8VV4pAObkPCMYp1NweoEggii+tQ@mail.gmail.com> <CABkgnnXsHt-jEyCvoqXfrWWoQ3-XbwRKPfrFR0WfG1rxQnjrsA@mail.gmail.com> <2E80204C-37D7-4624-BD23-573C386D7899@kitterman.com> <CAL0qLwbXdwKSnhcjr0raVo1Sh+sRzDypLxzHc1swThkBAY8WFg@mail.gmail.com> <CAL0qLwbvRhDqE5o6dXypw-jC71vwdrUJvcmBRRq_64QQw5A9pA@mail.gmail.com> <CABuGu1pVBARKZBxVR=Sgkb_kB-CuPrHEPqUxZs57HpmABOpi9A@mail.gmail.com>
From: Brandon Long <blong@fiction.net>
Date: Tue, 24 Oct 2017 16:46:28 -0700
X-Gmail-Original-Message-ID: <CABa8R6uguXiWWp1gG4K9FzoTFAYtn4nwT42CZu8QPtJH2LiW5g@mail.gmail.com>
Message-ID: <CABa8R6uguXiWWp1gG4K9FzoTFAYtn4nwT42CZu8QPtJH2LiW5g@mail.gmail.com>
To: Kurt Andersen <kurta@drkurt.com>
Cc: "Murray S. Kucherawy" <superuser@gmail.com>, dcrup@ietf.org, Scott Kitterman <sklist@kitterman.com>
Content-Type: multipart/alternative; boundary="001a113f476c48003f055c538cc8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/ctvEVUJfPxE0mxqWI37CrOs8qOw>
Subject: Re: [Dcrup] Adam Roach's No Objection on draft-ietf-dcrup-dkim-usage-04: (with COMMENT)
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Oct 2017 23:46:34 -0000

On Tue, Oct 24, 2017 at 4:35 PM, Kurt Andersen <kurta@drkurt.com> wrote:

> On Tue, Oct 24, 2017 at 8:03 PM, Murray S. Kucherawy <superuser@gmail.com>
> wrote:
>
>> On Tue, Oct 24, 2017 at 12:58 PM, Murray S. Kucherawy <
>> superuser@gmail.com> wrote:
>>
>>> On Thu, Oct 19, 2017 at 3:54 AM, Scott Kitterman <sklist@kitterman.com>
>>> wrote:
>>>
>>>> My assumption had been that since there's no valid signature with
>>>> rsa-sha1, there's nothing to even consider putting in an A-R header field.
>>>>
>>>> I think the only result that can go in this case is None.  I hadn't
>>>> thought we'd need to say that, but I guess maybe we do.
>>>>
>>>
>>> I think "policy" is the right way to go.  There's nothing technically
>>> wrong with an rsa-sha1 signature, but you're deciding not to accept it.
>>> It's the same as you deciding you're not going to accept a perfectly valid
>>> rsa-sha256 signature on a message simply because that signature didn't
>>> include the Subject field.
>>>
>>
>> In fact I would claim that by the definitions in Section 2.7.1 of
>> RFC7601, "policy" is the only option.
>>
>
> Are we talking about before or after this group consigns sha1 to the ash
> heap? Perhaps I'm confused about the sequencing of events that we are
> discussing. If the original DKIM spec had allowed rsa-md5 and a previous
> (hypothetical) instance of DCRUP had similarly deprecated MD5, what sort of
> designation would we expect to be recorded today for such usage?
>

This is obviously a bit different, but today google uses policy for keys
under 1024 bits.  I say "different", because prior to the dcrup work being
published, that's our policy choice.  After, it's the standard, so
permerror might be more appropriate.

Brandon

v2.23.0 | Report a Bug | By Email