Re: [dispatch] Updating DKIM for stronger crypto
Cullen Jennings <fluffy@iii.ca> Mon, 06 February 2017 23:22 UTC
Return-Path: <fluffy@iii.ca>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12DC51296B6 for <dispatch@ietfa.amsl.com>; Mon, 6 Feb 2017 15:22:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.788
X-Spam-Level:
X-Spam-Status: No, score=-3.788 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1.887, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qp86VvcnInHg for <dispatch@ietfa.amsl.com>; Mon, 6 Feb 2017 15:22:45 -0800 (PST)
Received: from smtp88.iad3a.emailsrvr.com (smtp88.iad3a.emailsrvr.com [173.203.187.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49D781296B3 for <dispatch@ietf.org>; Mon, 6 Feb 2017 15:22:45 -0800 (PST)
Received: from smtp28.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp28.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 8688D51E2; Mon, 6 Feb 2017 18:22:44 -0500 (EST)
X-Auth-ID: fluffy@iii.ca
Received: by smtp28.relay.iad3a.emailsrvr.com (Authenticated sender: fluffy-AT-iii.ca) with ESMTPSA id 4473A50E2; Mon, 6 Feb 2017 18:22:44 -0500 (EST)
X-Sender-Id: fluffy@iii.ca
Received: from [10.92.108.145] (192-195-83-200.static.monkeybrains.net [192.195.83.200]) (using TLSv1 with cipher DHE-RSA-AES256-SHA) by 0.0.0.0:587 (trex/5.7.12); Mon, 06 Feb 2017 18:22:44 -0500
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Cullen Jennings <fluffy@iii.ca>
In-Reply-To: <20170206020826.1108.qmail@ary.lan>
Date: Mon, 06 Feb 2017 15:22:43 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <530C44E1-62EF-4DFF-AED6-ECF78B396C4F@iii.ca>
References: <20170206020826.1108.qmail@ary.lan>
To: John Levine <johnl@taugh.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/4pQzyE9CpI5fhCrIxirnknM5Leo>
Cc: dispatch@ietf.org
Subject: Re: [dispatch] Updating DKIM for stronger crypto
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Feb 2017 23:22:47 -0000
Hi John, Assuming that some groupr of people wnated to work on this, how would you suggest organizing the work in IETF? Is this just a draft that gets AD sponsored be a sec AD, or do we spin up a mini WG that does just one RFC, or is it an amount of work that it ends up with a WG that produces more than one RFC? I'm just trying to get a feel of how much work is involved here. Cullen > On Feb 5, 2017, at 6:08 PM, John Levine <johnl@taugh.com> wrote: > > The DKIM spec RFC 6376 specifies the hash algorithm to use to make > hashes of e-mail message bodies and headers, and the signing algorithm > to use to sign them, with the results placed in a header in the > message. To check signatures, the recipient looks up the verification > keys in the DNS, where it's stored in TXT records. > > Every signature includes a tag saying what hash and signature > algorithms it used, and every key record includes a tag saying what > signature algorithm the key is for. The plan was always that we'd be > able to move to newer algorithms when needed. Early versions of DKIM > used SHA1 hashes, but by the time the original spec was published in > 2007, we'd added SHA256 and the spec says that everyone should use > SHA256 hashes but also has to verify SHA1 hashes. In practice everyone > uses SHA256. > > The only signature algorithm is RSA, and the spec says that verifiers > must handle signatures from 512 to 2K bits and strongly suggests at > least 1K bits. So far, that has not changed. > > Needless to say, 512 bits is now way too weak, and 1K is iffy, so it > would be a good idea to update the advice. Over in DMARC land, there > is an anti-DMARC design called ARC which uses DKIM's signing > algorithms, and it would be nice to launch ARC with up to date crypto > too. > > The obvious change would be a one sentence update to the DMARC spec > saying to sign with at least 2K keys and verifiers must handle at > least 4K keys. The code changes to DKIM signers and verifiers would > be trivial, and it is my impression that most verifiers handle larger > keys now, since they just pass them to OpenSSL or the like. > > Unfortunately, we have a stupid but significant problem. DKIM keys > are published in DNS TXT records, the strings in TXT records are > limited to 256 characters, and keys longer than 1K bits don't fit > in 256 characters. No problem you might think, since the DKIM spec > says that verifiers catenate multiple strings together, so you just > break the key into two or three strings. > > A lot of people manage their DNS using web based crudware at their > registrar or DNS provider, and most of the crudware only handles TXT > records with one string. You don't have to tell me how broken that > is, but the cruddy state of DNS provisioning has been a problem for > many years, and nothing we say is going to fix it in any finite amount > of time. > > I note RFCs 7748 and 8032 which remind us that ed25519 has excellent > performance with much smaller keys. So I would like to publish a > small update to the DKIM spec to add ed25519 as a signature algorithm, > require that ed25519 signatures use at least 256 bits, and provide > some advice for migration, e.g., publish both keys in separate TXT > records and sign with both algorithms for a while. 256-bit keys fit > in a single TXT string with ease. > > Does this seem reasonable? > > R's, > John > > > > _______________________________________________ > dispatch mailing list > dispatch@ietf.org > https://www.ietf.org/mailman/listinfo/dispatch
- Re: [dispatch] Updating DKIM for stronger crypto Cullen Jennings
- [dispatch] Updating DKIM for stronger crypto John Levine
- Re: [dispatch] Updating DKIM for stronger crypto Stephen Farrell
- Re: [dispatch] Updating DKIM for stronger crypto John R Levine
- Re: [dispatch] Updating DKIM for stronger crypto Eric Rescorla
- Re: [dispatch] Updating DKIM for stronger crypto John R Levine
- Re: [dispatch] Updating DKIM for stronger crypto John R Levine
- Re: [dispatch] Updating DKIM for stronger crypto Eric Rescorla
- Re: [dispatch] Updating DKIM for stronger crypto John R Levine
- Re: [dispatch] Updating DKIM for stronger crypto Eric Rescorla
- Re: [dispatch] Updating DKIM for stronger crypto Cullen Jennings
- Re: [dispatch] Updating DKIM for stronger crypto Martin Thomson
- Re: [dispatch] Updating DKIM for stronger crypto John R Levine
- Re: [dispatch] Updating DKIM for stronger crypto Martin Thomson
- Re: [dispatch] Updating DKIM for stronger crypto Stephen Farrell
- Re: [dispatch] Updating DKIM for stronger crypto Eric Rescorla
- Re: [dispatch] Updating DKIM for stronger crypto John R Levine
- Re: [dispatch] Updating DKIM for stronger crypto Stephen Farrell
- Re: [dispatch] Updating DKIM for stronger crypto Martin Thomson
- Re: [dispatch] Updating DKIM for stronger crypto John Levine
- Re: [dispatch] Updating DKIM for stronger crypto Martin Thomson
- Re: [dispatch] Updating DKIM for stronger crypto John R Levine
- Re: [dispatch] Updating DKIM for stronger crypto Wei Chuang