[dispatch] Proposed charter for DCRUP v0.3

"John R Levine" <johnl@taugh.com> Fri, 07 April 2017 16:36 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BEFD124282 for <dispatch@ietfa.amsl.com>; Fri, 7 Apr 2017 09:36:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=R8hYljOe; dkim=pass (1536-bit key) header.d=taugh.com header.b=KF0Z5vZe
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VnUAcyQQ7dZm for <dispatch@ietfa.amsl.com>; Fri, 7 Apr 2017 09:36:23 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0404512944A for <dispatch@ietf.org>; Fri, 7 Apr 2017 09:36:22 -0700 (PDT)
Received: (qmail 1183 invoked from network); 7 Apr 2017 16:36:18 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type:user-agent; s=493.58e7c002.k1704; bh=8Z7mh56mhQPsXcEOmdv6TCLuxZjof7k+vmrG71KWkO0=; b=R8hYljOeOn5m25capwcGs9M37zr7uR1kWQ/PT2drAsEpq+hshVph5j4NN4F+kzE2YvJPhjI/TI1wZ0UbrsoT+0D9rLM7V+IboQ+poNipg9FPdRhcUSYfrMb93fFmY2DesaOxM5hYEZE7WriKXUbUK6o4UMZImeqwefexwYWaOl3UhkxI+OlBYrKgxrtkDvY11yrq9Fd/D87OW8n5cU9zF6Brt7eD8zYxcNq/VyGvUwe/5f3a6rskLIeSNHxA8rez
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type:user-agent; s=493.58e7c002.k1704; bh=8Z7mh56mhQPsXcEOmdv6TCLuxZjof7k+vmrG71KWkO0=; b=KF0Z5vZe/pf5Zp4WL5yZ+ohBFBn+1rymESxTxT+dz/uBwlvPzkApXXIeTmHPxjK5A+MC48gdEP9h+Jjz8YVZ/ElPoTl1/qPLXH5nsHTrUqkvmavz7n/bSFDpYNuJGJaulxQvmo8ipVB55mE2mgRdEZQfMHHEmX3zv11HJJG0gvKAb75N8/rxrHB3i/l1XAbDEtGTvipvy/DRAqM5zfEUWdICmnsrl3+0WwrWZKc35LhTHzMbdn9FCDABdCvYKDnn
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 07 Apr 2017 16:36:18 -0000
Date: Fri, 07 Apr 2017 12:36:18 -0400
Message-ID: <alpine.OSX.2.20.1704071233050.55219@ary.qy>
From: John R Levine <johnl@taugh.com>
To: DISPATCH list <dispatch@ietf.org>
In-Reply-To: <alpine.OSX.2.20.1703301431530.8232@dhcp-80f1.meeting.ietf.org>
References: <alpine.OSX.2.20.1703271129060.7578@dhcp-80f1.meeting.ietf.org> <CAL0qLwZ9pDcOsooOgrpN9feDywc-+=twNtN4BpvOQ6ny68yLfA@mail.gmail.com> <alpine.OSX.2.20.1703301431530.8232@dhcp-80f1.meeting.ietf.org>
User-Agent: Alpine 2.20 (OSX 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/m0salTJ8PdlME6A_jXZecOHzh8U>
Subject: [dispatch] Proposed charter for DCRUP v0.3
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Apr 2017 16:36:26 -0000

One last twiddle, make it clear we can deprecate obsolete signing 
algorithms.  I have in mind SHA-1 and RSA-512.

Assuming people are happy with this, what's the next step?

R's,
John

-----------

The DKIM Crypto Update (DCRUP) working groupkin is chartered to update
DKIM to handle more modern cryptographic algorithms and key sizes. DKIM
(RFC 6376) signatures include a tag that identifies the hash algorithm and
signing algorithm used in the signature. The only current algorithm is RSA,
with advice that signing keys should be between 1024 and 2048 bits. While
1024 bit signatures are common, longer signatures are not because bugs in
DNS provisioning software prevent publishing longer keys as DNS TXT records.

DCRUP will consider three types of changes to DKIM: additional signing 
algorithms such as those based on elliptic curves, changes to key strength 
advice and requirements including deprecating obsolete algorithms, and new 
public key forms, such as putting the public key in the signature and a 
hash of the key in the DNS.  It will limit itself to existing implemented 
algorithms and key forms. Other changes to DKIM, such as new message 
canonicalization schemes, are out of scope.  The WG will as far as 
possible avoid changes incompatible with deployed DKIM signers and 
verifiers.