[Dcrup] Review of draft-ietf-dcrup-dkim-crypto-03

Martin Thomson <martin.thomson@gmail.com> Fri, 07 July 2017 03:20 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6276712EBFF for <dcrup@ietfa.amsl.com>; Thu, 6 Jul 2017 20:20:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TpOhaQoCM8Bk for <dcrup@ietfa.amsl.com>; Thu, 6 Jul 2017 20:20:13 -0700 (PDT)
Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CD3512741D for <dcrup@ietf.org>; Thu, 6 Jul 2017 20:20:13 -0700 (PDT)
Received: by mail-it0-x231.google.com with SMTP id v202so20430402itb.0 for <dcrup@ietf.org>; Thu, 06 Jul 2017 20:20:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=pQ7Y3vNHW35gytng7kCc5XW+3tB0iNjbuQgdHBUoszY=; b=rPBqWj5JuwpFc+2m+1Udk7XN/R2oEgQERoruiAz8kKQBlFJEG9Jiz0uG/Xy2h5zJft S2PWNqNFA8eQCh9JjRaEZ6MKfReCq93LMCH4wLBDVZLF5NAAxapkqNQ052377rb8RD4+ 7tQ50Vcn9VTwXDbipFpX8p8DHt3fH0Z2e92yrp951PY4gx/dz7DX6A6ujwRpnilCo++P ax3rua5lIfHlNUGXZFrAb10R6EkugB1es0AuDNKhWUFVKzzZyX6I5bbE3IVX0691O+8u rlivUuBjOglWPzRYc+GZeW4Se6c5pEq3wb7f9KVg4cGmZ5VYOJU9C/zlK6avd7V2RR69 2a3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=pQ7Y3vNHW35gytng7kCc5XW+3tB0iNjbuQgdHBUoszY=; b=Uah85D9tlNbGf0ncHMg8XaFV1X8OtfrO9aAqVIdUbXw6iAYs+D02RD3xqZXZ74cCiD WCfZey47b8vBqdShImuIxsqd58OPEvlfMYeL182S+TGa+g9rAusIgBgyT/EMVX5nPwCG cc4P9/tp7CQRFc2++/yBuP+wtHs5H3DtuZzYeuY4QDVq0w59kACF8boktbVegeYNxIeT miqJDStypKwTXYXzE5GG+XAoYEaRB8MFJ84ZozPIyCsz9eysRmPQ1CkZS9HRNBe3NXaZ FCVqvGVUdL/u+n2n3BkEDZsKyeJPs1ROOlKO/A3mGB0kQBqYK3zHPtV9G70+MxMM1XRT B58A==
X-Gm-Message-State: AIVw111ARGS9lRwgtvTBsKqxOoKrZG4sZwLc1fePxX1CsRpzZtwNSTR2 gyoHe/gWhwTyu/gtpV21pFZXKvK2EIoecyg=
X-Received: by 10.36.36.135 with SMTP id f129mr1143818ita.60.1499397612714; Thu, 06 Jul 2017 20:20:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.129.162 with HTTP; Thu, 6 Jul 2017 20:20:12 -0700 (PDT)
From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 07 Jul 2017 13:20:12 +1000
Message-ID: <CABkgnnW8nnoRGKoJQ4STAcT6CXdWFRCpz0h20hw+ksfw1x0PGg@mail.gmail.com>
To: dcrup@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/moVCL7ORPsDsUTT4QAuYTO8Glts>
Subject: [Dcrup] Review of draft-ietf-dcrup-dkim-crypto-03
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jul 2017 03:20:15 -0000

In its current form, I had a hard time extracting the goals of this
document from the text, even though the abstract is clear, the
introduction isn't clear enough on the specifics, see below.

I think that Scott's draft does a much better job of the SHA-1 removal
and attempting to do this all at once in this document isn't helping
its clarity at all.  (Also, this practice of patching RFCs by
providing replacement for statements in them makes reading the update
as a standalone document unnecessarily difficult in my opinion.)

On hashing here: hash everything.  Ed25519 might be the last algorithm
that has a key that is this small.  Uniformity is more valuable than
space here.

On PSS: I think that the idea is to retain the existing primitive with
the fingerprint-based mode, so we should define "rsafp" as using
PKCS#1v1.5 and accept the shortcomings of that.  I would support the
addition of a PSS-based scheme.

Introduction

The framing of this document needs to be improved.  The point of this
draft is to define new ways to sign e-mail messages that are stronger
than what the existing mechanisms allow.

The first paragraph here is good, it establishes that the existing
mechanism (the only one!) is limited by real practical concerns.

The second paragraph should instead say that it is introducing
signature algorithms:

~~~
This document adds two signing mechanisms for DKIM.  A mechanism using
the Edwards-Curve Digital Signature Algorithm (EdDSA) [RFC8032] is
defined in Section 3.  A variant of RSA signatures that uses the
existing underlying RSA primitives is defined in Section 4.  This RSA
variant uses a hashed representation of the public key that allows for
use of larger keys.
~~~

Section 3

This could be more direct:
~~~
3. Signature with Ed25519

The "ed25519" signature algorithm uses Ed25519 [RFC8032] and SHA-256 [SHA-2].

To use this signature method, the message is canonicalized according
to [RFC6376] then hashed using SHA-256.  The hash is signed using the
Pure variant of Ed25519.

This signature algorithm is identified with the value "ed25519" in the
"k=" parameter of a textual key representation and the value
"ed25519-sha256" in the "a=" parameter of the DKIM-Signature header
field.
~~~

IMPORTANT: This should be "ed25519" instead of "eddsa"; we've started
identifying a single primitive in other protocols, and you don't want
to contort things if you ever have to add Ed448.

Section 4

In the same way, this could be direct.  This is defining a new
signature algorithm.  The description can explain how this diverges
from the existing norm, but still be a complete specification.

~~~
The "rsafp" signature algorithm uses the same RSA-PKCS#1v1.5 [RSA-REF]
primitive to sign as that used in "rsa".  However, this algorithm
places a hash of the public key in textual representation in place of
the DER-encoded RSAPublicKey defined in [RFC6376].  This allows for
use of larger keys without the need for larger textual
representations, which might otherwise exceed the space in DNS TXT
records.

The method for signing a message is the same as that described for
"rsa-sha256" in [RFC6376].  The signer MUST also include a "p="
parameter in the DKIM-Signature header field (see Section XXX).  This
parameter includes the base64- and DER-encoded RSAPublicKey that was
used to generate the signature.

Textual representations of "rsafp" keys are identical to that of
"rsa-sha256", except that the "p=" parameter contains a SHA-256 hash
of the DER-encoded RSAPublicKey.  This limits the size of the textual
representation.

In addition to verifying the signature using this public key, a
verifier MUST also ensure that the decoded "p=" parameter that
accompanies the signature is equal to the SHA-256 hash of the decoded
"p=" parameter from the textual representation of the key.

This signature algorithm is identified with the value "rsafp" in the
"k=" parameter of a textual key representation and the value
"rsafp-sha256" in the "a=" parameter of the DKIM-Signature header
field.
~~~

IMPORTANT: The document then needs a new section defining "p=" for use
in DKIM-Signature.

This paragraph doesn't seem to be adding any value:

   Section 3.7 of [RFC6376], on computing the message hashes, is not
   modified.  Since the key in the k= tag is known in advance, it [is]
   included in the signature in the same manner as all of the other
   signature fields other than b=.

Sections 3 and 4

Both Section 3 and Section 4 need to explicitly say that the "h="
parameter is not valid for the algorithms defined in this document and
that SHA-256 is the only allowed hash algorithm that can be used with
these.  The current structure does not permit the use of a different
hash algorithm for the fingerprint; we should be prepared to define a
new identifier if we ever need to provide a SHA-256 alternative.

Nits

Capitalize "section" throughout.

There is a reference to FIPS-180 in a table, but it doesn't appear in
the references section.