IETF Logo Mail Archive

Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00

"John Levine" <johnl@taugh.com> Fri, 19 May 2017 14:43 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7265A128B51 for <dcrup@ietfa.amsl.com>; Fri, 19 May 2017 07:43:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.579
X-Spam-Level: *
X-Spam-Status: No, score=1.579 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wuhKqJ2P3iMz for <dcrup@ietfa.amsl.com>; Fri, 19 May 2017 07:43:06 -0700 (PDT)
Received: from miucha.iecc.com (www.iecc.com [IPv6:2001:470:1f07:1126::4945:4343]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8E48128B91 for <dcrup@ietf.org>; Fri, 19 May 2017 07:43:06 -0700 (PDT)
Received: (qmail 71041 invoked from network); 19 May 2017 14:43:05 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 19 May 2017 14:43:05 -0000
Date: Fri, 19 May 2017 14:42:43 -0000
Message-ID: <20170519144243.4945.qmail@ary.lan>
From: John Levine <johnl@taugh.com>
To: dcrup@ietf.org
Cc: mdb@juniper.net
In-Reply-To: <71169.1495194707@eng-mail01.juniper.net>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/mJZ2Nj5bFhuE5X8xa91ij1lGqes>
Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 May 2017 14:43:07 -0000

In article <71169.1495194707@eng-mail01.juniper.net> you write:
>Hi,
>
>I suggest that 2048 bit RSA be considered the minimum key size.
>Samller sizes are not really safe these days.

I'm surprised to hear this.  Remember that DKIM signatures are
relatively low value and not intended to be archival.  They're
typically verified within a day of being signed, and the design
encourages key rotation (although I admit that in practice most people
don't rotate very often.)

How much effort does it take to crack a 1k signature?


>In any update of RSA, you really need to determine if your RSA keys will
>be using RSASSA-PSS or PKCS#1 v1.5 padding and be careful in the
>signature verification methods being used as well as specifying the use
>of the SHA2 hash to be used if the key size is greater than RSA 3072
>which is the largest that should probably use SHA2-256. RSA key sizes in
>excess of 3072-bit keys may want to consider SHA2-384 or SHA2-512
>hashes.

I don't purport to be a crypto expert and haven't a clue.  In practice
people use whatever "openssl genrsa" provides.  I'm not too worried
about keys bigger than 3K since I expect that by the time 2K keys
are too weak, people will migrate to a different algorithm.

>I note that you are suggesting signing using ECDH and wonder if you
>intended to specify ECDSA or EdDSA as a way to digitally sign using
>Elliptic Curve methods as generally ECDH is used for key agreement
>protocols.

Beats me.  What should we use to maximize interoperability and have
lots of free libraries ready to use?

R's,
John

v2.23.0 | Report a Bug | By Email