Re: [Dcrup] I-D Action: draft-ietf-dcrup-dkim-usage-00.txt

Scott Kitterman <sklist@kitterman.com> Mon, 05 June 2017 16:53 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3AFF129B73 for <dcrup@ietfa.amsl.com>; Mon, 5 Jun 2017 09:53:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kitterman.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9fHHQd9nleRl for <dcrup@ietfa.amsl.com>; Mon, 5 Jun 2017 09:53:51 -0700 (PDT)
Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E27BC129B6F for <dcrup@ietf.org>; Mon, 5 Jun 2017 09:53:39 -0700 (PDT)
Received: from kitterma-e6430.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 8BA00C401BE for <dcrup@ietf.org>; Mon, 5 Jun 2017 11:53:38 -0500 (CDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=201409; t=1496681618; bh=W4T0rtCwLynls8m6pzaiWQVUVVCzEjCeyYPu+6tTAZI=; h=From:To:Subject:Date:In-Reply-To:References:From; b=R6mgzQwuDFU9DP9xONlSmwLomD+Nf8Rhd9ygA8Isiq0no0fWwiYq1D9H1t7bAeeXA jSW1yzgGk9mJu4xvXhOxEtIlvKt0Hb8aiahh75eb8KbuA5eP0Cfb9VgeEuvzCD6NYC pcPYZPG13NA/bEjOpZIBvgKeQJrb04GFmrzvxS90=
From: Scott Kitterman <sklist@kitterman.com>
To: dcrup@ietf.org
Date: Mon, 05 Jun 2017 12:53:38 -0400
Message-ID: <1830430.b8hTZcbnc5@kitterma-e6430>
User-Agent: KMail/4.13.3 (Linux/3.13.0-119-generic; KDE/4.13.3; x86_64; ; )
In-Reply-To: <A5830D7B-CC95-4296-99B6-B4A1BE5CF617@nist.gov>
References: <149619233095.19793.14947085917778354002@ietfa.amsl.com> <A5830D7B-CC95-4296-99B6-B4A1BE5CF617@nist.gov>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/lS865C5XFJEww0NwJovURhVwDF8>
Subject: Re: [Dcrup] I-D Action: draft-ietf-dcrup-dkim-usage-00.txt
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jun 2017 16:53:54 -0000

I hear you.  I expect this to be the most contentious part of the draft.

Here's my counter argument:

The first DKIM RFC (RFC 4871), published in 2007 said:

> Signers MUST implement and SHOULD sign using rsa-sha256

I believe that the only reason rsa-sha1 was included at all was to make 
transition from domainkeys easier (see RFC 4870).  That's also (as I 
understand it where the 512 bit minimum key size came from).

We've already had a decade for transition.  I think we are well into the 
territory that if there are signatures being done with rsa-sha1, it's unlikely 
to change until they stop working.

In related news, I added an informative reference to RFC 6194 and mentioned it 
in security considerations.

Fundamentally, I don't think anything other than removing it entirely changes 
anything.  As long as receivers MAY, they probably will and if they don't 
senders will complain "Why didn't you?", it's still allowed.  MUST NOT on both 
sides of the equation gives a clear answer.  "Go read RFC XXXX.  If it's a 
problem for you, you aren't doing something you SHOULD have been doing since 
2007, so you own the interoperability problem."

If someone doesn't want to drop rsa-sha1, they are free to not implement that 
change, so I don't see leaving the MAY in there for receivers as advantageous.

We know we need to add a new algorithm to replace it and two is plenty.  Let's 
kill it dead.

As a working group document editor, I'll change it however the group wants (of 
course), but I think we should either kill rsa-sha1 entirely in this document 
or leave it out entirely and let one of the follow-on documents add a new 
algorithm and remove rsa-sha1.  Preferably a clean kill or, failing that, not 
at all is what I think we should do.

Scott K

On Monday, June 05, 2017 12:21:08 PM Rose, Scott wrote:
> I’ve read the draft and I admire the willingness to plant a stake in
> the ground in making rsa-sha1 obsolete.
> 
> I think it would help to be more explicit about which requirement
> applies to which role (implement vs deploy/administrate).  For example:
> 
> 3 DKIM Signing and Verification Algorithms
> 
>     This section replaces [RFC6376] Section 3.3 in its entirety.
> 
>     DKIM supports multiple digital signature algorithms.  Two algorithms
>     were defined by [RFC6376]: rsa-sha1 and rsa-sha256.  Signers MUST
>     implement and sign using rsa-sha256.  Verifiers MUST implement rsa-
>     sha256 and MAY implement rsa-sha1 for backwards compatibility.
>     The rsa-sha1 signing algorithm is obsolete and MUST NOT be
>     used.
> 
> 3.1.  The rsa-sha1 Signing Algorithm
> 
>     This algorithm is obsolete and MUST NOT be used by signers.
> 
> 
> This doesn’t change the main idea, but calls out the fact that
> rsa-sha1 will be sticking around for a period of time as administrators
> are not going to read this doc and/or not going to change things that
> are working for them now.
> 
> Scott
> 
> On 30 May 2017, at 20:58, internet-drafts@ietf.org wrote:
> > A New Internet-Draft is available from the on-line Internet-Drafts
> > directories.
> > This draft is a work item of the DKIM Crypto Update of the IETF.
> > 
> >         Title           : Cryptographic Algorithm and Key Usage to
> > 
> > DKIM
> > 
> >         Author          : Scott Kitterman
> > 	
> > 	Filename        : draft-ietf-dcrup-dkim-usage-00.txt
> > 	Pages           : 5
> > 	Date            : 2017-05-30
> > 
> > Abstract:
> >    The cryptographic algorithm and key size requirements included when
> >    DKIM was designed in the last decade are functionally obsolete and
> > 
> > in
> > 
> >    need of immediate revision.  This document updates DKIM
> > 
> > requirements
> > 
> >    to those minimaly suitable for operation with currently specified
> >    algorithms.  This document updates RFC 6376.
> > 
> > The IETF datatracker status page for this draft is:
> > https://datatracker.ietf.org/doc/draft-ietf-dcrup-dkim-usage/
> > 
> > There are also htmlized versions available at:
> > https://tools.ietf.org/html/draft-ietf-dcrup-dkim-usage-00
> > https://datatracker.ietf.org/doc/html/draft-ietf-dcrup-dkim-usage-00
> > 
> > 
> > Please note that it may take a couple of minutes from the time of
> > submission
> > until the htmlized version and diff are available at tools.ietf.org.
> > 
> > Internet-Drafts are also available by anonymous FTP at:
> > ftp://ftp.ietf.org/internet-drafts/
> > 
> > _______________________________________________
> > Dcrup mailing list
> > Dcrup@ietf.org
> > https://www.ietf.org/mailman/listinfo/dcrup
> 
> ===================================
> Scott Rose
> NIST ITL
> scott.rose@nist.gov
> +1-301-975-8439
> GV: +1-571-249-3671
> ===================================
> 
> _______________________________________________
> Dcrup mailing list
> Dcrup@ietf.org
> https://www.ietf.org/mailman/listinfo/dcrup