IETF Logo Mail Archive

Re: [dispatch] Updating DKIM for stronger crypto

Eric Rescorla <ekr@rtfm.com> Tue, 21 March 2017 12:20 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C3D61297C4 for <dispatch@ietfa.amsl.com>; Tue, 21 Mar 2017 05:20:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ir1JzcQ30TnJ for <dispatch@ietfa.amsl.com>; Tue, 21 Mar 2017 05:19:57 -0700 (PDT)
Received: from mail-yw0-x22f.google.com (mail-yw0-x22f.google.com [IPv6:2607:f8b0:4002:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87DB61297EB for <dispatch@ietf.org>; Tue, 21 Mar 2017 05:19:57 -0700 (PDT)
Received: by mail-yw0-x22f.google.com with SMTP id p77so108422896ywg.1 for <dispatch@ietf.org>; Tue, 21 Mar 2017 05:19:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=O+GREiOjMkA5nBJldC++XqA6y1dvpNpVLHPgVWZF/jY=; b=XdDagVUgIjRNPUJyOTB59IbHMgNgq5iV0x+nNGQbDBxlVb/tWkmLmDGTi10RXUWlcY oSjCfUwO0OTpu4M9b60vRPZmvKj6v6wspx35U27RTCAiZ4hxfYqLrlFIGFm20RDWEDXs AAm3goetJg9tP0PCfB2HXuNpdhmGespk0kAtIAW8k7e6H3DIXJ3ohW1/Hn2G4D0QFw/O PhPsAW0WKCp6uzSF91IVfB3mCFVL3gDJbQrYjHmyaCTQMwby+WnzzszKiGncq593GvX/ hBT/i0pn8Koily4KJyLx9imhy65ZlIiWE4ROub7RT0R0LaP6qa58ihAXulE3pP6S8cLf McQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=O+GREiOjMkA5nBJldC++XqA6y1dvpNpVLHPgVWZF/jY=; b=Zsjp6KM7ShUzON8TJC2tXUFKOB+8QgIsCsqh56m8pcQOtPVZmUZK543kufxfc8NR7p iaOd9LA5nF3IRk3u+l8yu04qI8RUpRTwm8Ken0P6vBgSo5kCQ1MOnjO/jdI8o2xE70+b CdLpAR5CUbCImKHko+Vjb/5CM8cgEdNPD15fY2IgvVEh0A0Gcl+AqhFGLgMiJWZytwWL lWEjEg0z4heoAW31IsUK4fy3SrdZueu4Yvb017nt6eaauGPkqkFb8/JqYDkoxMvV4QNs j+wUf01vgfh2p5Eq0QEZNlG0sBYky19seM7D4u+CY9NJI6rkg/lc6+AKyqPVaappLmbg H7qQ==
X-Gm-Message-State: AFeK/H3ndqFBV9I0FCLUIIp5NBXMGDKfKsxxNCwGBYIRrLljUk/MOJsMGondlh+iOdiFtsJbckbwmVlhA80DcQ==
X-Received: by 10.37.53.138 with SMTP id c132mr22157731yba.105.1490098796704; Tue, 21 Mar 2017 05:19:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.154.210 with HTTP; Tue, 21 Mar 2017 05:19:16 -0700 (PDT)
In-Reply-To: <b7f8064f-d91d-6c16-b984-fd20014c7975@cs.tcd.ie>
References: <20170206020826.1108.qmail@ary.lan> <29F6F66C-F14F-402A-83D4-CAC70841667E@iii.ca> <CABkgnnVX3rgMY0ZGmf_xcQ+zgGtCMaZcsymyW2BCWBeAKm_CqQ@mail.gmail.com> <b7f8064f-d91d-6c16-b984-fd20014c7975@cs.tcd.ie>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 21 Mar 2017 05:19:16 -0700
Message-ID: <CABcZeBObvXkFd2G7st1iywMjVr-JWvzMrV46zCXZ251LHiddGA@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Martin Thomson <martin.thomson@gmail.com>, Cullen Jennings <fluffy@iii.ca>, DISPATCH list <dispatch@ietf.org>, John Levine <johnl@taugh.com>
Content-Type: multipart/alternative; boundary="001a114bbb32757023054b3ca9e2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/BGHeyYS_a4q7-wIOCZ9ODifr3nc>
Subject: Re: [dispatch] Updating DKIM for stronger crypto
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 12:20:00 -0000

On Tue, Mar 21, 2017 at 1:52 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie>
wrote:

>
> Hiya,
>
> On 21/03/17 03:32, Martin Thomson wrote:
> > On 11 February 2017 at 07:50, Cullen Jennings <fluffy@iii.ca> wrote:
> >>
> >> The Chairs and ADs discussed this today and we plan to allocate
> >> some agenda time for it at IETF 98. At the meeting we can try and
> >> figure out best way to dispatch this.
> >
> > I notice that this is on the agenda as simply "DKIM" and all we have
> > is "brief summary of problem - 10 min (John)", which took me a while
> > to latch on to.  "Update DKIM Crypto" would be a better title, and
> > John's full name would further help people reading the agenda.  If
> > nothing else, this email should help people find this thread again.
> >
> > If I can summarize where I think this left off, we have a desire to
> > improve the strength of the cryptographic algorithms used in DKIM.
> > No one seemed to object to that, but two options came out:
> >
> > 1. Define use of Ed25519
> > 2. Define a modified RSA signature scheme
> > where Sign(k, X) is defined as K || Sign-RSA(k, X) and Verify(H, K ||
> > M) is Hash(K) == H && Verify-RSA(K, M)
> >
>
> Hmm... WRT #2: I'd be against the idea of defining a mechanism at
> that level without significant input from CFRG as it'd be re-used
> if defined at that level so would need some analysis. I guess the
> idea in #2 is publishing a hashed key in the DNS DKIM key record
> instead of the key itself and of including the public key in a
> mail header field, which is a little different (and less scary:-)
> to how the above is presented.
>

Yes. I only described it this way in the interest of explaining how
implementations
could be updated easily. Note that I have no particular axe to grind in
favor of
RSA, but to the extent to which your problem with RSA is merely the size of
the key in the DNS, then this is the minimal change. In fact, I would argue
that if you're going to bother to update the specs at all, you should stuff
the hash in the DNS, not the key.



> In looking at this, we should probably dispatch this cross-area to
> > CURDLE.  It might require re-chartering (DKIM isn't explicitly
> > mentioned), but it's a small change.  CURDLE might be naturally
> > predisposed to favour the option 1, but I'm sure that the ultimate
> > decision might simply depend on whoever is willing to do the work.
>
> "Ask curdle" does seem like a reasonable approach, but I'd still
> think it'd be worth considering the topic in dispatch first to get
> a sense of desired direction, as I don't think those who would
> write or deploy updated DKIM code tend to participate in curdle
> today. So first, it'd be good to find out if there's a real
> appetite/need for updated crypto, or if it's just a nice thing
> that could be done but that'd not see deployment.
>

I am fine with this being DISPATCHed to CURDLE. Less fine with it being
DISPATCHed to RFC.

-Ekr


Separately, I'd like to raise a different idea wrt DKIM. I don't
> expect it'll get traction, but no harm to at least raise it here
> to check...
>
> DKIM defines signatures so that a bad or missing signature are
> treated the same. The expectation in doing that was that DKIM
> signatures would be ephemeral things, and that public keys might
> be fairly often replaced using the selector mechanism. Last year,
> we learned that DKIM signatures can survive exfiltration and
> other subsequent steps leading to publication via wikileaks and
> that the same public keys allowing verification were still in use.
>
> That was surprising, for me at least. So I wonder if there's any
> interest in further considering key rollovers in DKIM, and if
> there's even interest in defining a scheme where old private keys
> are published, as a means to improve deniability when caches of old
> emails are subsequently leaked/published. Again, I'd be surprised
> if this got traction, so I'm not asking for time on the agenda
> unless the idea has resonated with folks on the list first. (It
> may also be that I just like the unexpected cuteness of there
> being potential utility in publishing private signature keys;-)
>
> There was a brief thread on the DKIM list about this a while
> back where the above and a couple of other ideas were mentioned
> without any of them attracting much interest. [1]
>
> Cheers,
> S.
>
> [1] http://mipassoc.org/pipermail/ietf-dkim/2016q4/017197.html
>
> >
> > _______________________________________________ dispatch mailing
> > list dispatch@ietf.org
> > https://www.ietf.org/mailman/listinfo/dispatch
> >
>
>
> _______________________________________________
> dispatch mailing list
> dispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/dispatch
>
>

v2.23.0 | Report a Bug | By Email