IETF Logo Mail Archive

Re: [Dcrup] I-D Action: draft-ietf-dcrup-dkim-usage-02.txt

Martin Thomson <martin.thomson@gmail.com> Sun, 11 June 2017 08:40 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A9CB1294E7 for <dcrup@ietfa.amsl.com>; Sun, 11 Jun 2017 01:40:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cZaMT3TJLrzp for <dcrup@ietfa.amsl.com>; Sun, 11 Jun 2017 01:40:04 -0700 (PDT)
Received: from mail-lf0-x233.google.com (mail-lf0-x233.google.com [IPv6:2a00:1450:4010:c07::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AA511294D8 for <dcrup@ietf.org>; Sun, 11 Jun 2017 01:40:03 -0700 (PDT)
Received: by mail-lf0-x233.google.com with SMTP id v20so41731124lfa.1 for <dcrup@ietf.org>; Sun, 11 Jun 2017 01:40:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=SABYmdhtAZNQBKdbUwxswLVDL1epoabZPQdB0SzsJU4=; b=VZTXg1G/8Y/6YZ6iFmGLmQosx+K1PN2zPnDrCXgmgQxsoa1Td+PtpV20Vr+z3Emywp Gw+kFoytFvgmtLe1/pfJx9ybnROhAgpPr1gQa//DrUGRwymBJ5Rwnf8cUObnflQwBjPd +KgmoM/Fjv+jhVltFCx3sRZZfcnJqi1BWlkqRKLFLk69+E1JY6POW3v4ZS0MGftCA6jp 0j1WDRrOXkn+iMsuecSchSdqAk2f234cB/Y9pgXzViq/eWsyJ1+IXvwZx8bf7R58vP6u iV8XpT3Ba2WDu4z1wghZIZLzAQ3TcDwI5nWCa1QOGFdy8AgY4lxiMLLrKgD5uD4PT6Ot PQqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=SABYmdhtAZNQBKdbUwxswLVDL1epoabZPQdB0SzsJU4=; b=Y70aV6E5CgalAtb6JU80pAkDH0833Lryccu/Sl21E5AH2g/3f20T4WSKDhfHedB11n p46aQPWKgkiR2VkRlbvXSAr78yAlofed+miNYTInUZQEit1/otXSpyakKdGu+MFXcWHD YpzAeqlrvFGREeTwrgQpZHt0eWN76zG1mRLrJZ/iL9oN1+L2vd4zRCs2WjfBfzaepDId jttMLlybVhmZNcsUh6azaQyW3vv6EzHYo1ztpX0Hwhc3aLWxCeyZZvIMzRaizTfvce77 OQkZJiR6psIV5QiDfvNxp3uTNifALrUIuxAK/sIEJ15JVzFdKSX7+Ro5cvfy5GkBBXkx xKGg==
X-Gm-Message-State: AKS2vOyc22EDM7koB8odhH3mBMac3v6caNuqz8X0JgVS3h8GH9nNha2x WGabBMirSbGmARfFlMlqV+7DRx1KlmAc2UU=
X-Received: by 10.25.196.17 with SMTP id u17mr198483lff.19.1497170401321; Sun, 11 Jun 2017 01:40:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.46.8.66 with HTTP; Sun, 11 Jun 2017 01:40:00 -0700 (PDT)
In-Reply-To: <30567530.MBenZTfLgc@kitterma-e6430>
References: <149690083334.25644.8501543904193079634@ietfa.amsl.com> <CABkgnnWdaecFqcVMSNYy8F7Z1_ijYG9-Vt2cw+AHoedziRXHDA@mail.gmail.com> <30567530.MBenZTfLgc@kitterma-e6430>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Sun, 11 Jun 2017 09:40:00 +0100
Message-ID: <CABkgnnWfFR=33t+SF8j_fmQ5EN8LmgP_WyMs-Ga=9VQ2eEC40g@mail.gmail.com>
To: Scott Kitterman <sklist@kitterman.com>
Cc: dcrup@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/vBOP4V7Qd4cwb_OyH91k22tQfKg>
Subject: Re: [Dcrup] I-D Action: draft-ietf-dcrup-dkim-usage-02.txt
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Jun 2017 08:40:06 -0000

On 10 June 2017 at 19:33, Scott Kitterman <sklist@kitterman.com> wrote:
> This is pretty much what we had in -01 and this approach was suggested
> instead.  In XML, sorry, here's the diff:
>
> https://github.com/kitterma/draft-ietf-dcrup-dkim-usage/commit/b3956a026c18b88ac2f47f8a012610598149e286

That's not quite what I was suggesting. I have sent you a PR for what
I think you should say:

https://github.com/kitterma/draft-ietf-dcrup-dkim-usage/pull/1

I think that I got the essence of your changes there.  And it's a lot shorter.

Another issue I encountered when doing this:

         The defining documents specify a single signing algorithm,
<xref target="RFC8017">RSA</xref>
,
        and recommends key sizes of 1024 to 2048 bits (but require
verification of 512 bit keys).
        As discussed in <xref target="VULNOTE">US-CERT
VU#268267</xref>, the operational
        community has recognized that shorter keys compromise the
effectiveness of DKIM.
        While 1024 bit signatures are common, stronger signatures are
not.  Widely used DNS
        configuration software places a practical limit on key sizes,
because the software only
        handles a single 256 octet string in a TXT record, and RSA
keys longer than 1024 bits don't
        fit in 256 octets.

Aside from the extra space after the first xref, there are two
problems with this paragraph.

First, this document doesn't change anything about the recommendations
regarding key sizes.  That makes the whole paragraph a little
misleading.  You give the impression that you are doing something
about key sizes, but then you don't.

Second, you can fit a key larger than 1024 bits in less than 256
octets.  A 1536-bit key isn't that great, but it's a huge amount
better than 1024.  I haven't done the math, but I'm sure that you
could find a number that maximizes key length without blowing the 256
octet limit.  This might be good advice to add (which would also mean
that you can keep the paragraph).

v2.37.1 | Report a Bug | By Email | System Status