[Dcrup] Review of draft-ietf-dcrup-dkim-crypto-03
Martin Thomson <martin.thomson@gmail.com> Fri, 07 July 2017 03:20 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6276712EBFF for <dcrup@ietfa.amsl.com>; Thu, 6 Jul 2017 20:20:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TpOhaQoCM8Bk for <dcrup@ietfa.amsl.com>; Thu, 6 Jul 2017 20:20:13 -0700 (PDT)
Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CD3512741D for <dcrup@ietf.org>; Thu, 6 Jul 2017 20:20:13 -0700 (PDT)
Received: by mail-it0-x231.google.com with SMTP id v202so20430402itb.0 for <dcrup@ietf.org>; Thu, 06 Jul 2017 20:20:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=pQ7Y3vNHW35gytng7kCc5XW+3tB0iNjbuQgdHBUoszY=; b=rPBqWj5JuwpFc+2m+1Udk7XN/R2oEgQERoruiAz8kKQBlFJEG9Jiz0uG/Xy2h5zJft S2PWNqNFA8eQCh9JjRaEZ6MKfReCq93LMCH4wLBDVZLF5NAAxapkqNQ052377rb8RD4+ 7tQ50Vcn9VTwXDbipFpX8p8DHt3fH0Z2e92yrp951PY4gx/dz7DX6A6ujwRpnilCo++P ax3rua5lIfHlNUGXZFrAb10R6EkugB1es0AuDNKhWUFVKzzZyX6I5bbE3IVX0691O+8u rlivUuBjOglWPzRYc+GZeW4Se6c5pEq3wb7f9KVg4cGmZ5VYOJU9C/zlK6avd7V2RR69 2a3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=pQ7Y3vNHW35gytng7kCc5XW+3tB0iNjbuQgdHBUoszY=; b=Uah85D9tlNbGf0ncHMg8XaFV1X8OtfrO9aAqVIdUbXw6iAYs+D02RD3xqZXZ74cCiD WCfZey47b8vBqdShImuIxsqd58OPEvlfMYeL182S+TGa+g9rAusIgBgyT/EMVX5nPwCG cc4P9/tp7CQRFc2++/yBuP+wtHs5H3DtuZzYeuY4QDVq0w59kACF8boktbVegeYNxIeT miqJDStypKwTXYXzE5GG+XAoYEaRB8MFJ84ZozPIyCsz9eysRmPQ1CkZS9HRNBe3NXaZ FCVqvGVUdL/u+n2n3BkEDZsKyeJPs1ROOlKO/A3mGB0kQBqYK3zHPtV9G70+MxMM1XRT B58A==
X-Gm-Message-State: AIVw111ARGS9lRwgtvTBsKqxOoKrZG4sZwLc1fePxX1CsRpzZtwNSTR2 gyoHe/gWhwTyu/gtpV21pFZXKvK2EIoecyg=
X-Received: by 10.36.36.135 with SMTP id f129mr1143818ita.60.1499397612714; Thu, 06 Jul 2017 20:20:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.129.162 with HTTP; Thu, 6 Jul 2017 20:20:12 -0700 (PDT)
From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 07 Jul 2017 13:20:12 +1000
Message-ID: <CABkgnnW8nnoRGKoJQ4STAcT6CXdWFRCpz0h20hw+ksfw1x0PGg@mail.gmail.com>
To: dcrup@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/moVCL7ORPsDsUTT4QAuYTO8Glts>
Subject: [Dcrup] Review of draft-ietf-dcrup-dkim-crypto-03
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jul 2017 03:20:15 -0000
In its current form, I had a hard time extracting the goals of this document from the text, even though the abstract is clear, the introduction isn't clear enough on the specifics, see below. I think that Scott's draft does a much better job of the SHA-1 removal and attempting to do this all at once in this document isn't helping its clarity at all. (Also, this practice of patching RFCs by providing replacement for statements in them makes reading the update as a standalone document unnecessarily difficult in my opinion.) On hashing here: hash everything. Ed25519 might be the last algorithm that has a key that is this small. Uniformity is more valuable than space here. On PSS: I think that the idea is to retain the existing primitive with the fingerprint-based mode, so we should define "rsafp" as using PKCS#1v1.5 and accept the shortcomings of that. I would support the addition of a PSS-based scheme. Introduction The framing of this document needs to be improved. The point of this draft is to define new ways to sign e-mail messages that are stronger than what the existing mechanisms allow. The first paragraph here is good, it establishes that the existing mechanism (the only one!) is limited by real practical concerns. The second paragraph should instead say that it is introducing signature algorithms: ~~~ This document adds two signing mechanisms for DKIM. A mechanism using the Edwards-Curve Digital Signature Algorithm (EdDSA) [RFC8032] is defined in Section 3. A variant of RSA signatures that uses the existing underlying RSA primitives is defined in Section 4. This RSA variant uses a hashed representation of the public key that allows for use of larger keys. ~~~ Section 3 This could be more direct: ~~~ 3. Signature with Ed25519 The "ed25519" signature algorithm uses Ed25519 [RFC8032] and SHA-256 [SHA-2]. To use this signature method, the message is canonicalized according to [RFC6376] then hashed using SHA-256. The hash is signed using the Pure variant of Ed25519. This signature algorithm is identified with the value "ed25519" in the "k=" parameter of a textual key representation and the value "ed25519-sha256" in the "a=" parameter of the DKIM-Signature header field. ~~~ IMPORTANT: This should be "ed25519" instead of "eddsa"; we've started identifying a single primitive in other protocols, and you don't want to contort things if you ever have to add Ed448. Section 4 In the same way, this could be direct. This is defining a new signature algorithm. The description can explain how this diverges from the existing norm, but still be a complete specification. ~~~ The "rsafp" signature algorithm uses the same RSA-PKCS#1v1.5 [RSA-REF] primitive to sign as that used in "rsa". However, this algorithm places a hash of the public key in textual representation in place of the DER-encoded RSAPublicKey defined in [RFC6376]. This allows for use of larger keys without the need for larger textual representations, which might otherwise exceed the space in DNS TXT records. The method for signing a message is the same as that described for "rsa-sha256" in [RFC6376]. The signer MUST also include a "p=" parameter in the DKIM-Signature header field (see Section XXX). This parameter includes the base64- and DER-encoded RSAPublicKey that was used to generate the signature. Textual representations of "rsafp" keys are identical to that of "rsa-sha256", except that the "p=" parameter contains a SHA-256 hash of the DER-encoded RSAPublicKey. This limits the size of the textual representation. In addition to verifying the signature using this public key, a verifier MUST also ensure that the decoded "p=" parameter that accompanies the signature is equal to the SHA-256 hash of the decoded "p=" parameter from the textual representation of the key. This signature algorithm is identified with the value "rsafp" in the "k=" parameter of a textual key representation and the value "rsafp-sha256" in the "a=" parameter of the DKIM-Signature header field. ~~~ IMPORTANT: The document then needs a new section defining "p=" for use in DKIM-Signature. This paragraph doesn't seem to be adding any value: Section 3.7 of [RFC6376], on computing the message hashes, is not modified. Since the key in the k= tag is known in advance, it [is] included in the signature in the same manner as all of the other signature fields other than b=. Sections 3 and 4 Both Section 3 and Section 4 need to explicitly say that the "h=" parameter is not valid for the algorithms defined in this document and that SHA-256 is the only allowed hash algorithm that can be used with these. The current structure does not permit the use of a different hash algorithm for the fingerprint; we should be prepared to define a new identifier if we ever need to provide a SHA-256 alternative. Nits Capitalize "section" throughout. There is a reference to FIPS-180 in a table, but it doesn't appear in the references section.
- [Dcrup] Review of draft-ietf-dcrup-dkim-crypto-03 Martin Thomson
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Salz, Rich
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Eric Rescorla
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Salz, Rich
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Jim Fenton
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Jon Callas
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Scott Kitterman
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Salz, Rich
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Jim Fenton
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Jon Callas
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Scott Kitterman
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Peter Goldstein
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… James Cloos
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Scott Kitterman
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Russ Housley
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… John Levine
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… John Levine
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… John Levine
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Russ Housley
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… John R Levine
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Eric Rescorla
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Scott Kitterman
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Eric Rescorla
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… John Levine
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Eric Rescorla
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… denis bider
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Eric Rescorla
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Peter Goldstein
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Eric Rescorla
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Peter Goldstein
- Re: [Dcrup] Review of draft-ietf-dcrup-dkim-crypt… Eric Rescorla