Re: [Dcrup] draft-ietf-dcrup-dkim-usage and document shepherds

Kurt Andersen <kurta@drkurt.com> Tue, 13 June 2017 10:10 UTC

Return-Path: <kurta@drkurt.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3E8D12F4B2 for <dcrup@ietfa.amsl.com>; Tue, 13 Jun 2017 03:10:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZkhPoxx1VBZL for <dcrup@ietfa.amsl.com>; Tue, 13 Jun 2017 03:10:13 -0700 (PDT)
Received: from mail-ua0-x22f.google.com (mail-ua0-x22f.google.com [IPv6:2607:f8b0:400c:c08::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6ABA41314C9 for <dcrup@ietf.org>; Tue, 13 Jun 2017 02:53:23 -0700 (PDT)
Received: by mail-ua0-x22f.google.com with SMTP id 68so54633170uas.0 for <dcrup@ietf.org>; Tue, 13 Jun 2017 02:53:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=3GWXK9k8FyVJHF4zy44x520AGYzx0cxwKDFHEQ+Ym7I=; b=MqP9hkUh41nScsGWQIvvcQLphh0GsemlQ1UojMxG2K+0JvM4uSc90+B3obrIzTATAm H8+3xFCx7gYKddos18hVFjGic6wY4uAKOEISkYHLGQSju5uTlm272VTupF6ruXzy6fDb Ueq6mo40HtF8klV+88m2RLNawxqyDy6q9ek1s=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=3GWXK9k8FyVJHF4zy44x520AGYzx0cxwKDFHEQ+Ym7I=; b=ARdT4BgK2i1X/XNt2+0gxtj2XjKhru6H3Mk3Y8SnbNalbpeQCXgjQM1q6WT8yebApJ eEw9BPyF+quc0vmxUFu3sb/fioHUYZz6Gy477CV4hnOm58r8QkqNxVRcnRGH1OzpeEVO y6WnkeYgt9x8lTd/1EzXcLuIyIqNBKDcIaPYEQGUQHCp3YCL17qWmRylbE2U3mIVtW8v gyNLSKXicOHVAyc02LVDA+WUt4ONESQ3MC9QDkCRwy6128dKORgFpnxNFh/dY/20Kn8A 10SREcfpB08td4UEyY/gWshpLFUhz03u6OI1Wk0IPDQ8j/KzchgoNvb9mKmOJ5/xnh97 LvJw==
X-Gm-Message-State: AKS2vOy+Cjp0ul4lK3qy6IzeKZ1RTzxLhXOktKvIIV8I/RakMtVE/FDm BQHVZi2Wx/yE3UZom7hgikTJtySye5CSI3s=
X-Received: by 10.176.82.26 with SMTP id i26mr2108300uaa.1.1497347602425; Tue, 13 Jun 2017 02:53:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.75.153 with HTTP; Tue, 13 Jun 2017 02:53:21 -0700 (PDT)
In-Reply-To: <CAOZAAfNxYG4XZusXvkXneDpyjPgdWSB_vk1maCS=Wobrj2ybzg@mail.gmail.com>
References: <20170610002538.10992.qmail@ary.lan> <2034638.szbv6KSWyz@kitterma-e6430> <CAL0qLwY4yFGbBXHw=YXgLgok1uzWm4s2TQ2GSBak_cDn4KsOBA@mail.gmail.com> <4379310.8G0EpGEsGj@kitterma-e6430> <CAOZAAfNxYG4XZusXvkXneDpyjPgdWSB_vk1maCS=Wobrj2ybzg@mail.gmail.com>
From: Kurt Andersen <kurta@drkurt.com>
Date: Tue, 13 Jun 2017 10:53:21 +0100
Message-ID: <CABuGu1qkpiG6ojo2Te6qcp3ckBeSvHCdUvNMV2N63a8s2e9_Cg@mail.gmail.com>
To: Seth Blank <seth@valimail.com>
Cc: dcrup@ietf.org
Content-Type: multipart/alternative; boundary="94eb2c18ff88f2c0300551d467d4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/xY2xiwGW0rhCpu2TqcuI0QvILZ0>
Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-usage and document shepherds
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jun 2017 10:10:18 -0000

On Tue, Jun 13, 2017 at 8:49 AM, Seth Blank <seth@valimail.com> wrote:

> On Mon, Jun 12, 2017 at 3:29 PM, Scott Kitterman <sklist@kitterman.com>
> wrote:
>
>> If I knew which of the three approaches to take, then I could  pick one
>> and
>> write it:
>>
>> 1.  Fully replace section 3.3 explicitly saying MUST rsa-sha256 and MUST
>> NOT
>> rsa-sha1 (my personal preference)
>>
>> 2.  Fully replace section 3.3 dropping rsa-sha1 and just giving the new
>> requirements (possibly with an appendix that says MUST NOT rsa-sha1)
>>
>> 3.  Make the draft a lot shorter and only state updated requirements.
>> Also
>> don't remove rsa-sha1 [1]
>>
>
> I think #2 is the cleanest for a lot of reasons, but I'm sympathetic to
> the argument about the RFC making it clear what has changed to an
> implementer reading it and this has persuaded me, If the point of this
> document is to get implementers who have been using sha-1 and weak keys to
> throw them out - #1's language accomplishes this explicitly.
>
> So I'm voting for #1.
>

I'd much prefer approach #2, but rather than "replace in place", the
replacement should point to a registry with the details in the registry
subject to expert review for future updates. The initial population of
registry entries should designate sha1 and rsa keys <1024bits as either
"not supported" or "deprecated" or whatever other terminology conveys the
same message in registry-speak.

--Kurt