Re: [Dcrup] I-D Action: draft-ietf-dcrup-dkim-usage-00.txt

Scott Kitterman <sklist@kitterman.com> Mon, 05 June 2017 20:24 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3AFB129C6E for <dcrup@ietfa.amsl.com>; Mon, 5 Jun 2017 13:24:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kitterman.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1zSLmu5j7D7n for <dcrup@ietfa.amsl.com>; Mon, 5 Jun 2017 13:24:43 -0700 (PDT)
Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [IPv6:2607:f0d0:3001:aa::2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DCD1128BB6 for <dcrup@ietf.org>; Mon, 5 Jun 2017 13:24:43 -0700 (PDT)
Received: from kitterma-e6430.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id DEFB7C401BE for <dcrup@ietf.org>; Mon, 5 Jun 2017 15:24:39 -0500 (CDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=201409; t=1496694279; bh=SsCgk/M1/CH0oE8W2KSUWB7RlSfBdsq2nejSh1lfgCM=; h=From:To:Subject:Date:In-Reply-To:References:From; b=p62QGJBd3Mi3Ds/3bAfjnHjScWwjqM6h+MWj9Wqx2Vao0/NV4V9YLt1G4UoQWiRzn wlV1c0ZbmSPhHi8YhwuCOLxamifes/rPfV4a0zSWseW5i6CRcl/pt7XNw/Ixq+QczV azYPaF4DHA9OGZq5Ri5AzNvqdwwxUQy4mLxd8wS8=
From: Scott Kitterman <sklist@kitterman.com>
To: dcrup@ietf.org
Date: Mon, 05 Jun 2017 16:24:39 -0400
Message-ID: <15443906.qFJeu8PeI7@kitterma-e6430>
User-Agent: KMail/4.13.3 (Linux/3.13.0-119-generic; KDE/4.13.3; x86_64; ; )
In-Reply-To: <CAL0qLwYOr0iMh2HkyBBUbwBE+4Mz=ZDxyPiHBtzKcFBbNwwSSg@mail.gmail.com>
References: <149619233095.19793.14947085917778354002@ietfa.amsl.com> <1830430.b8hTZcbnc5@kitterma-e6430> <CAL0qLwYOr0iMh2HkyBBUbwBE+4Mz=ZDxyPiHBtzKcFBbNwwSSg@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/s05FjHpTRahe0_mbHEtuoVTopM8>
Subject: Re: [Dcrup] I-D Action: draft-ietf-dcrup-dkim-usage-00.txt
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jun 2017 20:24:45 -0000

On Monday, June 05, 2017 01:18:13 PM Murray S. Kucherawy wrote:
> On Mon, Jun 5, 2017 at 9:53 AM, Scott Kitterman <sklist@kitterman.com>
> 
> wrote:
> > I hear you.  I expect this to be the most contentious part of the draft.
> > 
> > Here's my counter argument:
> > 
> > The first DKIM RFC (RFC 4871), published in 2007 said:
> > > Signers MUST implement and SHOULD sign using rsa-sha256
> > 
> > I believe that the only reason rsa-sha1 was included at all was to make
> > transition from domainkeys easier (see RFC 4870).  That's also (as I
> > understand it where the 512 bit minimum key size came from).
> 
> As I recall, there were also implementations of DKIM made during its
> development (even before its IETF time) that supported both, and defaulted
> to rsa-sha1 because support for SHA256 in OpenSSL was new and not
> universally deployed.  Some of them were still running in the wild, and
> SHA1 wasn't fully deprecated, so the choice was made to be inclusive while
> encouraging use of the newer stuff as much as possible.
> 
> > As a working group document editor, I'll change it however the group wants
> > (of
> > course), but I think we should either kill rsa-sha1 entirely in this
> > document
> > or leave it out entirely and let one of the follow-on documents add a new
> > algorithm and remove rsa-sha1.  Preferably a clean kill or, failing that,
> > not
> > at all is what I think we should do.
> 
> I would omit it from the updated version entirely, and mark it "obsolete"
> in the registry.
> 
> -MSK, from the floor

OK.  Unfortunately I mashed the upload button on -01 before I saw this, but 
that makes sense to me.  I'll do it for -02.  

Unfortunately the draft submission site got confused about me being me, so I'm 
waiting for an email to confirm it's OK to change the author of the draft from 
me to me, so it may be a few minutes before it shows up.

Thanks,

Scott K