IETF Logo Mail Archive

Re: [dispatch] Updating DKIM for stronger crypto

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 21 March 2017 08:52 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 551611296A5 for <dispatch@ietfa.amsl.com>; Tue, 21 Mar 2017 01:52:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FWqDITfE95js for <dispatch@ietfa.amsl.com>; Tue, 21 Mar 2017 01:52:22 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F53E1296A1 for <dispatch@ietf.org>; Tue, 21 Mar 2017 01:52:22 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 96F0BBE5B; Tue, 21 Mar 2017 08:52:20 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UAF6S1dmV_7H; Tue, 21 Mar 2017 08:52:18 +0000 (GMT)
Received: from [10.244.2.100] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 70A3EBE58; Tue, 21 Mar 2017 08:52:18 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1490086338; bh=Pf4vebQDQs9Iog7B6SnGgE3irV5pnREQf0n63nQSOGE=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=Bu04q4M4pUb1ZZLNS9RjBry1UBfWLM456oatA0I/iRMGJ58Ur8glcyX6bhIIgxDWf UL0a2Z63C8z6mGStPERFLsxXfzJDeDBbtkXMRkNwAo6Efnqd8Yt4aU8YcJMiySVZtl xnHDLdV4E5BT29PWz/h+WXlogcAYkgVs8J+WBeck=
To: Martin Thomson <martin.thomson@gmail.com>, Cullen Jennings <fluffy@iii.ca>
References: <20170206020826.1108.qmail@ary.lan> <29F6F66C-F14F-402A-83D4-CAC70841667E@iii.ca> <CABkgnnVX3rgMY0ZGmf_xcQ+zgGtCMaZcsymyW2BCWBeAKm_CqQ@mail.gmail.com>
Cc: DISPATCH list <dispatch@ietf.org>, John Levine <johnl@taugh.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <b7f8064f-d91d-6c16-b984-fd20014c7975@cs.tcd.ie>
Date: Tue, 21 Mar 2017 08:52:17 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <CABkgnnVX3rgMY0ZGmf_xcQ+zgGtCMaZcsymyW2BCWBeAKm_CqQ@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="Msf0dPpXnSfxokKPRoSxmH4jgtnlDtmqg"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/SCZrcZreRaoeFu5hqEeacJ-jm7A>
Subject: Re: [dispatch] Updating DKIM for stronger crypto
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 08:52:25 -0000

Hiya,

On 21/03/17 03:32, Martin Thomson wrote:
> On 11 February 2017 at 07:50, Cullen Jennings <fluffy@iii.ca> wrote:
>> 
>> The Chairs and ADs discussed this today and we plan to allocate
>> some agenda time for it at IETF 98. At the meeting we can try and
>> figure out best way to dispatch this.
> 
> I notice that this is on the agenda as simply "DKIM" and all we have 
> is "brief summary of problem - 10 min (John)", which took me a while 
> to latch on to.  "Update DKIM Crypto" would be a better title, and 
> John's full name would further help people reading the agenda.  If 
> nothing else, this email should help people find this thread again.
> 
> If I can summarize where I think this left off, we have a desire to 
> improve the strength of the cryptographic algorithms used in DKIM.
> No one seemed to object to that, but two options came out:
> 
> 1. Define use of Ed25519 
> 2. Define a modified RSA signature scheme
> where Sign(k, X) is defined as K || Sign-RSA(k, X) and Verify(H, K ||
> M) is Hash(K) == H && Verify-RSA(K, M)
> 

Hmm... WRT #2: I'd be against the idea of defining a mechanism at
that level without significant input from CFRG as it'd be re-used
if defined at that level so would need some analysis. I guess the
idea in #2 is publishing a hashed key in the DNS DKIM key record
instead of the key itself and of including the public key in a
mail header field, which is a little different (and less scary:-)
to how the above is presented.

> A third option seems plausible as well: do both and let the market 
> decide.  I'd be surprised if either were a massive specification 
> effort.

I'm not sure letting the market decide here would be a good
plan TBH, and I don't think ease of specification ought be
a primary consideration.

> 
> In looking at this, we should probably dispatch this cross-area to 
> CURDLE.  It might require re-chartering (DKIM isn't explicitly 
> mentioned), but it's a small change.  CURDLE might be naturally 
> predisposed to favour the option 1, but I'm sure that the ultimate 
> decision might simply depend on whoever is willing to do the work.

"Ask curdle" does seem like a reasonable approach, but I'd still
think it'd be worth considering the topic in dispatch first to get
a sense of desired direction, as I don't think those who would
write or deploy updated DKIM code tend to participate in curdle
today. So first, it'd be good to find out if there's a real
appetite/need for updated crypto, or if it's just a nice thing
that could be done but that'd not see deployment.

Separately, I'd like to raise a different idea wrt DKIM. I don't
expect it'll get traction, but no harm to at least raise it here
to check...

DKIM defines signatures so that a bad or missing signature are
treated the same. The expectation in doing that was that DKIM
signatures would be ephemeral things, and that public keys might
be fairly often replaced using the selector mechanism. Last year,
we learned that DKIM signatures can survive exfiltration and
other subsequent steps leading to publication via wikileaks and
that the same public keys allowing verification were still in use.

That was surprising, for me at least. So I wonder if there's any
interest in further considering key rollovers in DKIM, and if
there's even interest in defining a scheme where old private keys
are published, as a means to improve deniability when caches of old
emails are subsequently leaked/published. Again, I'd be surprised
if this got traction, so I'm not asking for time on the agenda
unless the idea has resonated with folks on the list first. (It
may also be that I just like the unexpected cuteness of there
being potential utility in publishing private signature keys;-)

There was a brief thread on the DKIM list about this a while
back where the above and a couple of other ideas were mentioned
without any of them attracting much interest. [1]

Cheers,
S.

[1] http://mipassoc.org/pipermail/ietf-dkim/2016q4/017197.html

> 
> _______________________________________________ dispatch mailing
> list dispatch@ietf.org 
> https://www.ietf.org/mailman/listinfo/dispatch
>

v2.23.0 | Report a Bug | By Email