IETF Logo Mail Archive

Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00

Peter Goldstein <peter@valimail.com> Fri, 19 May 2017 17:40 UTC

Return-Path: <peter@valimail.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6934B129A99 for <dcrup@ietfa.amsl.com>; Fri, 19 May 2017 10:40:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.381
X-Spam-Level:
X-Spam-Status: No, score=0.381 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_FONT_FACE_BAD=0.981, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c5f7pBfRzLxc for <dcrup@ietfa.amsl.com>; Fri, 19 May 2017 10:40:12 -0700 (PDT)
Received: from mail-qt0-x235.google.com (mail-qt0-x235.google.com [IPv6:2607:f8b0:400d:c0d::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0369B1287A7 for <dcrup@ietf.org>; Fri, 19 May 2017 10:40:11 -0700 (PDT)
Received: by mail-qt0-x235.google.com with SMTP id c13so63722155qtc.1 for <dcrup@ietf.org>; Fri, 19 May 2017 10:40:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=6qoslcEAaoHuMT4cqcg1jS8hg7RGWr0rg8ntZpUvdcs=; b=E1DicSkgOOTdvp5fNhZL7hyU4bTpXrW17zkJO2+UQg8uwRpd/qjd7Y6yaOLaFOUO3M 4fFFkbnaImojuz2djZJJUkOSawqh63IpQIJ4Wu/XYpNz3b4R/C9y8BdJpQb9S9WjGgFM Byfus+7jfgfpdWZubyzuMOLaYRgPBKnN3vyzsZAwKHIbUy/yGVzvpUU35/e2AJI/vlSf gWQYXIsAEg3YpYXrX0htezNAdIS9omlSwg1J+9clLpi7O4WhiqrddyjTVJJ2bNeJzYOa G69f+9RZfq8i83+4vwBi21AubCcOPXKII0Pz+q6OgpG06YaB6CZdD11Fi/UXcx5RzOAA UKNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=6qoslcEAaoHuMT4cqcg1jS8hg7RGWr0rg8ntZpUvdcs=; b=XR1mXq8kIzj/gWbie4a0aRey6BTk/hYED1qObk1d/s1L06IYt4vSb33lhmHxYSJA0m UG+CvPX4bwYciqshhu0+x18VXUSL33/hTrHGMd7J9iE1RlBzEm76cr0jlJOdkFAnI3JA qoCoNhzW3PDb3E6EoHChr/JexWi+5bUN8vufFd77tW7qhpCv1XdWn2ygy1ONriChtK8x gOiDdYk4Hqd/lwJfkZkm3zx9UHeuHLT8mK0iwPSrJ4BfNF+MdnFSnygWHnfsNl02wM8O CN/d7W2+zbyvctoUUgAsPlZFNl8HBtKSKJM7vjLmKegpSmALe5lq7pPJPx6UQwKUmkjI KK+A==
X-Gm-Message-State: AODbwcDcSXwIJ+uRZRbT3/R9p/hhZ9P5UX9IbfgESzgdV270YX2D1Rqw Pf5xT4uhACb350yC7pCCGjESsmLUxKaIsx0=
X-Received: by 10.200.55.6 with SMTP id o6mr9949936qtb.236.1495215611092; Fri, 19 May 2017 10:40:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.185.152 with HTTP; Fri, 19 May 2017 10:40:10 -0700 (PDT)
In-Reply-To: <360CB42F-6B1A-4A6F-95D2-EFF36C449EBB@vigilsec.com>
References: <20170519144243.4945.qmail@ary.lan> <360CB42F-6B1A-4A6F-95D2-EFF36C449EBB@vigilsec.com>
From: Peter Goldstein <peter@valimail.com>
Date: Fri, 19 May 2017 10:40:10 -0700
Message-ID: <CAOj=BA0gKP9x5jgkZEUJD-EJvRSwC0dgmijwbDirsCQT4z0E4Q@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: dcrup@ietf.org
Content-Type: multipart/alternative; boundary="001a1140a0b05cb4b1054fe40377"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/rs8PjrgvtdMQIvY-mjgApuRvMmQ>
Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 May 2017 17:40:15 -0000

It's going to be hard to move straight to 2048 bit RSA as the minimum key
size.

The challenges with 2048 bit RSA are largely an issue of the limitations of
the DNS infrastructure in use by the sending domain.  In some DNS managers,
the Web UIs (and occasionally the underlying infrastructure) don't allow
domain owners to enter records that are larger than 512 octets.  Users of
these DNS managers generally cannot provision 2048 bit key DKIM TXT
records.  That's a problem for self-managed infrastrucutre and email
services that provide TXT records for DKIM.

Also, as far as I'm aware almost none of the existing email service
providers offers the option of a 2048 bit DKIM key out of the box.  For
those systems that use CNAMEs, upgrading to 2048 bit keys will be
relatively straightforward.  But for those that distribute TXT records
(most of them), they will face more of a challenge to upgrade their users
to 2048 bit keys - both because of the above domain limitations and because
they're going to need to get their customers to make DNS changes.

Given the above, Scott's suggested approach for RSA sounds like the right
one - especially if we can combine it with statements from the large
receivers that they will plan to sunset support for 1024 bit keys (much as
they did for 512 bit keys) at some point in the future.  That will both
incentivize domain owners and email services to upgrade their key size to
2048 and give the ecosystem time to adjust.
That said, I think it's also important to start the process of
transitioning to Elliptic Curve.  Defining the updates to the spec, getting
some software to support it (i.e. OpenDKIM), and working with the large
receivers to get them onboard are all steps that can be taken in parallel
with Scott's suggested approach for RSA keys.

Best,

Peter

On Fri, May 19, 2017 at 10:02 AM, Russ Housley <housley@vigilsec.com> wrote:

> >> I suggest that 2048 bit RSA be considered the minimum key size.
> >> Samller sizes are not really safe these days.
> > I'm surprised to hear this.  Remember that DKIM signatures are
> > relatively low value and not intended to be archival.  They're
> > typically verified within a day of being signed, and the design
> > encourages key rotation (although I admit that in practice most people
> > don't rotate very often.)
> >
> > How much effort does it take to crack a 1k signature?
>
> NIST has told everyone to move away from SHA-1 for for all uses except
> HMAC-SHA-1.
>
> NIST has told everyone to move toward RSA with 2048 bit keys, even for
> entity authentication applications like DKIM.
>
> If RSA keys of that size are a problem, then it it time to start the
> transition to Elliptic Curve.  We know it will not happen the day the RFC
> gets published.
>
> Russ
>
> _______________________________________________
> Dcrup mailing list
> Dcrup@ietf.org
> https://www.ietf.org/mailman/listinfo/dcrup
>



-- 


[image: logo for sig file.png]

Bringing Trust to Email

Peter Goldstein | CTO & Co-Founder

peter@valimail.com
+1.415.793.5783

v2.23.0 | Report a Bug | By Email