IETF Logo Mail Archive

Re: [Dcrup] Adam Roach's No Objection on draft-ietf-dcrup-dkim-usage-04: (with COMMENT)

Scott Kitterman <sklist@kitterman.com> Wed, 25 October 2017 00:24 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 187A713A25A for <dcrup@ietfa.amsl.com>; Tue, 24 Oct 2017 17:24:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.791
X-Spam-Level:
X-Spam-Status: No, score=-1.791 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=kitterman.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PqP1hY2RYBja for <dcrup@ietfa.amsl.com>; Tue, 24 Oct 2017 17:24:33 -0700 (PDT)
Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [IPv6:2607:f0d0:3001:aa::2]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C633C1395ED for <dcrup@ietf.org>; Tue, 24 Oct 2017 17:24:33 -0700 (PDT)
Received: from [10.120.45.156] (mobile-166-170-50-249.mycingular.net [166.170.50.249]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 9250FC4025F; Tue, 24 Oct 2017 19:24:32 -0500 (CDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=2001409; t=1508891073; bh=Lay/VpYmdVWlqsOm7F8xPRMxi4KIbubdO31dkd70xVU=; h=Date:In-Reply-To:References:Subject:To:From:From; b=FsIX2lnOCVL7lhkjAl79eLYttcqzsKN3bIq08LPRaBnlPKKcWi54ddcZXvJptTkS8 yUsO3Kd+wR6PUTHIUbc753GhvzX5zOJXZmwJxHnToa00geIzAGfrMHzR4edwcWBHBX 2cwwI3kSz3o5Fufu8n+gdHj7Fmt+2nOpbwqy48Ag=
Date: Wed, 25 Oct 2017 00:24:19 +0000
In-Reply-To: <CABa8R6uguXiWWp1gG4K9FzoTFAYtn4nwT42CZu8QPtJH2LiW5g@mail.gmail.com>
References: <150649085207.24995.1867894975380491185.idtracker@ietfa.amsl.com> <CAL0qLwYiuq3Pt80pkQc5RNr8VV4pAObkPCMYp1NweoEggii+tQ@mail.gmail.com> <CABkgnnXsHt-jEyCvoqXfrWWoQ3-XbwRKPfrFR0WfG1rxQnjrsA@mail.gmail.com> <2E80204C-37D7-4624-BD23-573C386D7899@kitterman.com> <CAL0qLwbXdwKSnhcjr0raVo1Sh+sRzDypLxzHc1swThkBAY8WFg@mail.gmail.com> <CAL0qLwbvRhDqE5o6dXypw-jC71vwdrUJvcmBRRq_64QQw5A9pA@mail.gmail.com> <CABuGu1pVBARKZBxVR=Sgkb_kB-CuPrHEPqUxZs57HpmABOpi9A@mail.gmail.com> <CABa8R6uguXiWWp1gG4K9FzoTFAYtn4nwT42CZu8QPtJH2LiW5g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
To: dcrup@ietf.org
From: Scott Kitterman <sklist@kitterman.com>
Message-ID: <F7F9E898-3208-4F89-BE73-9F70D388152D@kitterman.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/gkyq5R39J1rgbbmaYzvEWwgaHTA>
Subject: Re: [Dcrup] Adam Roach's No Objection on draft-ietf-dcrup-dkim-usage-04: (with COMMENT)
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Oct 2017 00:24:35 -0000


On October 24, 2017 4:46:28 PM PDT, Brandon Long <blong@fiction.net> wrote:
>On Tue, Oct 24, 2017 at 4:35 PM, Kurt Andersen <kurta@drkurt.com>
>wrote:
>
>> On Tue, Oct 24, 2017 at 8:03 PM, Murray S. Kucherawy
><superuser@gmail.com>
>> wrote:
>>
>>> On Tue, Oct 24, 2017 at 12:58 PM, Murray S. Kucherawy <
>>> superuser@gmail.com> wrote:
>>>
>>>> On Thu, Oct 19, 2017 at 3:54 AM, Scott Kitterman
><sklist@kitterman.com>
>>>> wrote:
>>>>
>>>>> My assumption had been that since there's no valid signature with
>>>>> rsa-sha1, there's nothing to even consider putting in an A-R
>header field.
>>>>>
>>>>> I think the only result that can go in this case is None.  I
>hadn't
>>>>> thought we'd need to say that, but I guess maybe we do.
>>>>>
>>>>
>>>> I think "policy" is the right way to go.  There's nothing
>technically
>>>> wrong with an rsa-sha1 signature, but you're deciding not to accept
>it.
>>>> It's the same as you deciding you're not going to accept a
>perfectly valid
>>>> rsa-sha256 signature on a message simply because that signature
>didn't
>>>> include the Subject field.
>>>>
>>>
>>> In fact I would claim that by the definitions in Section 2.7.1 of
>>> RFC7601, "policy" is the only option.
>>>
>>
>> Are we talking about before or after this group consigns sha1 to the
>ash
>> heap? Perhaps I'm confused about the sequencing of events that we are
>> discussing. If the original DKIM spec had allowed rsa-md5 and a
>previous
>> (hypothetical) instance of DCRUP had similarly deprecated MD5, what
>sort of
>> designation would we expect to be recorded today for such usage?
>>
>
>This is obviously a bit different, but today google uses policy for
>keys
>under 1024 bits.  I say "different", because prior to the dcrup work
>being
>published, that's our policy choice.  After, it's the standard, so
>permerror might be more appropriate.
>
>Brandon

I prefer None, but I think permerror is reasonable.  Policy means local policy (as you are doing now).  Once this is approved, not accepting short keys ( < 1024 ) or rsa-sha1 is not just a local policy call.

Scott K

v2.23.0 | Report a Bug | By Email