Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypto-03

Eric Rescorla <ekr@rtfm.com> Mon, 10 July 2017 02:27 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC06113148C for <dcrup@ietfa.amsl.com>; Sun, 9 Jul 2017 19:27:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WWwBilSZfcWz for <dcrup@ietfa.amsl.com>; Sun, 9 Jul 2017 19:27:22 -0700 (PDT)
Received: from mail-yw0-x231.google.com (mail-yw0-x231.google.com [IPv6:2607:f8b0:4002:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BF50131488 for <dcrup@ietf.org>; Sun, 9 Jul 2017 19:27:22 -0700 (PDT)
Received: by mail-yw0-x231.google.com with SMTP id a12so30287436ywh.3 for <dcrup@ietf.org>; Sun, 09 Jul 2017 19:27:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=LFEb9O7OUEzNXkBUQcg2ASHXf4hm0wZmHkZkyMyELZ8=; b=Rj6KMEnhReei/JJdSzudZx2sJOBey+anfjS5Jh3Y6DnlE34q1izjZHbML8r21CioI4 NGJW5niILwsGhteeBs9PVc3OFx09GHt0rBhBpPgt/6QaRrCXKbvHLqBBHaQdd+gi7kEC O0jaL3FCH+MqWB9cJtZ+lIlokwRuQ/Yq5qm1C1eaJ6LHWUsoDycpin36QdCxbrBFg6kF ne1PjKgiy3qnd5tv9n24Pr4w+h+gZX1ObH+O0tmWMBMSEAziFP/N7Ld29uy4TT06UK08 LxprKIVDr58PG/maIEHL1UIG73HyjLFsW5exBYWoWyognPgbgcMI3L6NbmoPUzKFD03V VdtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=LFEb9O7OUEzNXkBUQcg2ASHXf4hm0wZmHkZkyMyELZ8=; b=P+LWLADgtsZu8Cf68c6bSFB6PCnYNTFHinP5DH6IN+ArA5BQ+rSaAywL7RIywojS4D BcVTb9LLUFcgsC/O7xDlox574MUbsFY1/2qLjBwf3owFLQk8dXXXXcfriZ/g6rPL9Qse ZRiLOVy7Vq1nIn8nM7yiOXuB6ot/RsO+gCVEX9aFz0Msk6UzOcWukLgZ8IuVsHDWZi5/ Dilrf+bGkYwZiYFX7nTU4GPriv+8dU2441dA2GxYWQUD8yEkZPMpsLhPn65r81QHEdOC xUCdHnGOkbr67leWXVqd/5F+zsGXpj/nu+PoNUNBstME/LKxrCPUhfv6q/njuqpb7Sno JqZg==
X-Gm-Message-State: AIVw110RSbOlHFk/9HUZhxqbEc62ZLeeo0p3Ic12IqaaVPbb98MzElaC LYCaOeWqtRW/v8Ju9RAPxO3QAvzq+Ips
X-Received: by 10.129.50.140 with SMTP id y134mr9988215ywy.312.1499653641449; Sun, 09 Jul 2017 19:27:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.215.9 with HTTP; Sun, 9 Jul 2017 19:26:40 -0700 (PDT)
In-Reply-To: <CADPMZDB03S5ffc3_Ker=h08japc2PGAbch3F=+jRL9ZBjCzs3w@mail.gmail.com>
References: <CABkgnnW8nnoRGKoJQ4STAcT6CXdWFRCpz0h20hw+ksfw1x0PGg@mail.gmail.com> <6d4b76c9b42848f1b18c42ba22895993@usma1ex-dag1mb1.msg.corp.akamai.com> <CABcZeBM-qh+iW_+Br2URpdjHsLZ_L1xqZWUVirW-8-E7k4cvzg@mail.gmail.com> <564f297f17424f34b4ba1e118ab6f62c@usma1ex-dag1mb1.msg.corp.akamai.com> <D4D564D0-73C6-45CA-9962-33106229DE02@bluepopcorn.net> <220DB06A-E06D-4DAF-ADE6-7536B6E43630@callas.org> <aeee2c9019114d9789a2cd768f0b15e1@usma1ex-dag1mb1.msg.corp.akamai.com> <F16764CE-D4C4-4A48-9779-37BC8C2D1261@bluepopcorn.net> <CADPMZDB03S5ffc3_Ker=h08japc2PGAbch3F=+jRL9ZBjCzs3w@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 09 Jul 2017 19:26:40 -0700
Message-ID: <CABcZeBNnVrgW7J2nr3ds+++Lau4LRxa2EG69vywyBmBu+uzuPw@mail.gmail.com>
To: denis bider <denisbider.ietf@gmail.com>
Cc: Jim Fenton <fenton@bluepopcorn.net>, "Salz, Rich" <rsalz@akamai.com>, "dcrup@ietf.org" <dcrup@ietf.org>, Martin Thomson <martin.thomson@gmail.com>, Jon Callas <jon@callas.org>
Content-Type: multipart/alternative; boundary="001a1140932a95c5400553ed52d7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/g2apVie4h3FFdkBdeClbO0s9ZeU>
Subject: Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypto-03
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jul 2017 02:27:24 -0000

On Sun, Jul 9, 2017 at 7:21 PM, denis bider <denisbider.ietf@gmail.com>
wrote:

> We can break down the following levels of future proofing:
>
> (1) Future event occurs, and no changes are needed by anyone. The event is
> already accounted for by configurations, implementations, and
> specifications.
>
> (2) Future event occurs, and changes are needed to configurations. The
> event is already accounted for by implementations and specifications.
>
> (3) Future event occurs, and changes are needed to implementations, which
> must then be deployed. The event is already accounted for by specifications.
>
> (4) Future event occurs, and changes are needed to specifications, which
> must then be implemented and deployed. The event is not accounted for.
>
> In this case, when we're talking about "future proofing", we are dealing
> with category (4). We cannot do (1), (2), or (3) because although we know
> what the future event might be (quantum computing), we do not have a
> solution we can specify at this time.
>

Actually, this isn't entirely true. We could presumably deploy hash
signatures, they're just not very efficient. In fact, the one thing that we
do know with high probability about any PQ algorithm is that it is likely
to be less efficient than the existing algorithms, and one of the ways in
which it might be less efficient is large public keys, in which case having
hashes will be useful.

Moreover, QC isn't the only possible event that could cause us to wish to
have larger keys. There might be a modest improvement in dlog that would
make Curve25519 problematic but Curve448 or P-521 comfortable (indeed, this
is how we got to the point where we wish to have RSA keys > 1024).


Requiring fingerprints for ECDSA or EdDSA does nothing for future proofing.
> If the future event occurs, we will still be dealing with a category 4
> event that requires new specifications, new implementations, and new
> deployments. No work will be spared.
>

I don't agree with this for the reasons above.

-Ekr


>
>
> On Sat, Jul 8, 2017 at 1:08 AM, Jim Fenton <fenton@bluepopcorn.net> wrote:
>
>> On Jul 7, 2017, at 4:24 PM, Salz, Rich <rsalz@akamai.com> wrote:
>>
>> >> For what it's worth, I agree with Jim and Ekr. Hashing is just fine.
>> >
>> > Is it fine, or is it a required or just good?
>> >
>> > Nobody is saying there is anything wrong with hashing.  Several are
>> saying that, given the limitations of some DNS deployments, it is useful to
>> avoid the indirection and just put the key when we can.
>>
>> What DNS deployment limitation would be adversely affected by the use of
>> a hash? I can't think of any.
>>
>> "Avoid the indirection" makes it sound like more network round-trips
>> would be required if a hash is used. No more network traffic is involved;
>> the verifier only needs to compute the hash of the key included in the
>> message and compare that with the fingerprint included in the key lookup
>> response from DNS. The verifier can even check the signature prior to
>> receiving the DNS response, if it wants.
>>
>> I'm supporting publishing key fingerprints because I think it's slightly
>> more future-proof, and having been burned by that once already, I don't
>> want to make the same mistake again. But if rough consensus decides
>> otherwise, we go with that of course.
>>
>> I still haven't heard an answer to the following question I posed about
>> the fingerprints, though: Will the fingerprints always be sha256, or do we
>> need to specify the fingerprint algorithm in the DNS record? In other
>> words, will we assume that sha256 will be strong enough for the life of
>> this protocol?
>>
>> -Jim
>> _______________________________________________
>> Dcrup mailing list
>> Dcrup@ietf.org
>> https://www.ietf.org/mailman/listinfo/dcrup
>>
>
>