Re: [Dcrup] I-D Action: draft-ietf-dcrup-dkim-crypto-03.txt

Jim Fenton <fenton@bluepopcorn.net> Tue, 04 July 2017 07:26 UTC

Return-Path: <fenton@bluepopcorn.net>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4F2C131456 for <dcrup@ietfa.amsl.com>; Tue, 4 Jul 2017 00:26:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bluepopcorn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UMDihVcPZtep for <dcrup@ietfa.amsl.com>; Tue, 4 Jul 2017 00:26:30 -0700 (PDT)
Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26D5212ECC7 for <dcrup@ietf.org>; Tue, 4 Jul 2017 00:26:30 -0700 (PDT)
Received: from [172.50.3.168] ([72.253.124.8]) (authenticated bits=0) by v2.bluepopcorn.net (8.14.4/8.14.4/Debian-8+deb8u1) with ESMTP id v647QQev008939 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 4 Jul 2017 00:26:28 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bluepopcorn.net; s=supersize; t=1499153189; bh=hgsr3ZJvovA0FlVPS/oPSPx1s2ZFF60dqU/4dbOfVq4=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=DPtD65Q0jHKoQgtESn+mkdGpJ/HPAicyncn5CQMSpmj9DNp/9RVFFKTa9CqWsyJ/N 1Zvbt5C3L1Ut6+Grt5xCnsg6E0O+h3QB2XFICX+jc30Rzqrng5HWwCzmwjCuSt6pVz 9/DGGt1gsclvdvDDwyPlpnClObtExUBAC9vIiBUQ=
Content-Type: multipart/alternative; boundary="Apple-Mail-2B4246DA-6923-489F-BDAF-4B2374F01D72"
Mime-Version: 1.0 (1.0)
From: Jim Fenton <fenton@bluepopcorn.net>
X-Mailer: iPad Mail (14F89)
In-Reply-To: <CABcZeBMyeUG0jHtCQkV4yVJfuUXYtUacQ2Adwt8gcj8QcmaM9w@mail.gmail.com>
Date: Mon, 03 Jul 2017 21:26:26 -1000
Cc: John R Levine <johnl@taugh.com>, dcrup@ietf.org
Content-Transfer-Encoding: 7bit
Message-Id: <A9D376FA-0C46-40B6-9E82-B46DFB67D462@bluepopcorn.net>
References: <CABcZeBOs1yZ7q3oBgNeVkw=zSQb_SuS4hqK8BH0ebrD5LRYTFg@mail.gmail.com> <20170702025650.55902.qmail@ary.lan> <CABcZeBM4KEr5CEZq4t9BX50btCRPLhZBAtZN18v_6gZ5B-ni5A@mail.gmail.com> <alpine.OSX.2.21.1707012341180.70305@ary.qy> <CABcZeBOLSrYo8mEQ1evyU7CzctV0VF4r7_bX3nA0oxtHCeEgSQ@mail.gmail.com> <alpine.OSX.2.21.1707021544590.72907@ary.qy> <CABcZeBPbL9EgZhF9t6j1Nt9xU=97oNj1ssaVFaiS8Mgd573evA@mail.gmail.com> <CABcZeBP1w2GPQmfCzQnROunoeXHiB0jodYW7dY3W4tLf5GHDgw@mail.gmail.com> <alpine.OSX.2.21.1707021715300.73525@ary.qy> <CABcZeBPu-hD+0z4_7zJuU_kUog47q6bUf3Cm76L+pyCXgkVGQw@mail.gmail.com> <alpine.OSX.2.21.1707021824130.73724@ary.qy> <CABcZeBPqt3-5Vo1wO1fPPTKWGSHtooJ4wkqYqdjXMqtFE5XS6A@mail.gmail.com> <alpine.OSX.2.21.1707021912110.73724@ary.qy> <CABcZeBMyeUG0jHtCQkV4yVJfuUXYtUacQ2Adwt8gcj8QcmaM9w@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/sF0KpLZw2zxKcaIAknJN2l6OprA>
Subject: Re: [Dcrup] I-D Action: draft-ietf-dcrup-dkim-crypto-03.txt
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jul 2017 07:26:32 -0000

I agree with ekr on this one: publishing a key fingerprint is the more general solution, even if right now we can't think of keys that require it other than RSA. So why not, in the future, always publish key fingerprints?

Related side question: in my last review I asked whether we should make provision in the protocol for different hash algorithms to be used for key fingerprints. The answer was "no" because we would not be able to use them without doing another dcrup-ish effort. I suppose that is reasonable, except that we had included the h= tag in DKIM selector records; it seems inconsistent to not be able to specify the algorithm here too.

-Jim



> On Jul 2, 2017, at 2:00 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> 
> 
> On Sun, Jul 2, 2017 at 4:16 PM, John R Levine <johnl@taugh.com> wrote:
>>>> The current draft is substantially rewritten so it's not that simple.
>>>> Please identify the sections and lines of the -03 draft to which you object.
>>> 
>>> Is the document on Github? I'll send you a PR.
>> 
>> No, it's draft-ietf-dcrup-dkim-crypto-03 in the usual place.  Just tell us which sections should change, or if you want you can send a diff to the XML but that's probably overkill.
>> 
>> Perhaps this will help:
>> 
>> SIGNIFICANT CHANGE: This draft adds two new signature schemes rather than three, rsafp for RSA with key fingerprints in the DNS, and eddsa for ed25519 with keys in the DNS.
>> 
>> NON-CHANGE: like RFCs 4871 and 6276, this draft says nothing about what signature schemes, key representations, and/or message hashes might be added or changed in future versions of DKIM.
> 
> I'll send you comments, but it won't be before Prague.
> 
> -Ekr
> 
>> 
>> 
>> Regards,
>> John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
>> Please consider the environment before reading this e-mail. https://jl.ly
> 
> _______________________________________________
> Dcrup mailing list
> Dcrup@ietf.org
> https://www.ietf.org/mailman/listinfo/dcrup