Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-02 and registries

"John Levine" <johnl@taugh.com> Tue, 13 June 2017 11:30 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30D29131688 for <dcrup@ietfa.amsl.com>; Tue, 13 Jun 2017 04:30:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.358
X-Spam-Level:
X-Spam-Status: No, score=-0.358 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_06_12=1.543, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GKzh1ssgqkDx for <dcrup@ietfa.amsl.com>; Tue, 13 Jun 2017 04:30:48 -0700 (PDT)
Received: from miucha.iecc.com (www.iecc.com [IPv6:2001:470:1f07:1126::4945:4343]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E6AF1315EB for <dcrup@ietf.org>; Tue, 13 Jun 2017 04:30:48 -0700 (PDT)
Received: (qmail 58520 invoked from network); 13 Jun 2017 11:30:47 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 13 Jun 2017 11:30:47 -0000
Date: Tue, 13 Jun 2017 00:21:17 -0000
Message-ID: <20170613002117.1367.qmail@ary.lan>
From: John Levine <johnl@taugh.com>
To: dcrup@ietf.org
Cc: kurta@drkurt.com
In-Reply-To: <CABuGu1qkpiG6ojo2Te6qcp3ckBeSvHCdUvNMV2N63a8s2e9_Cg@mail.gmail.com>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/xPzCfa9Pp4X7eEoC2rF91wDBqQU>
Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-02 and registries
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jun 2017 11:30:54 -0000

In article <CABuGu1qkpiG6ojo2Te6qcp3ckBeSvHCdUvNMV2N63a8s2e9_Cg@mail.gmail.com> you write:
>I'd much prefer approach #2, but rather than "replace in place", the
>replacement should point to a registry with the details in the registry
>subject to expert review for future updates. The initial population of
>registry entries should designate sha1 and rsa keys <1024bits as either
>"not supported" or "deprecated" or whatever other terminology conveys the
>same message in registry-speak.

Take a look at my draft.  There already is a registry for hash
algorithms, and mine moves sha1 to historic.  

There's no registry for key sizes, and creating one would be tough.
For RSA, you can create a key with as many bits as you want.  You want
a 1775 bit key, you can use a 1775 bit key.  I'd rather keep the
advice about key size in the text since the alternative would seem to
be to list every key size from 512 to whatever and mark them
individually good or bad.

For the elliptic algorithms, there's no choice of key size so nothing
to put in a registry.

R's,
John