[dmarc-ietf] ARC Crypto Algorithm Selection
Scott Kitterman <sklist@kitterman.com> Tue, 23 October 2018 10:58 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E40D7127598 for <dmarc@ietfa.amsl.com>; Tue, 23 Oct 2018 03:58:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=dY9P9xtn; dkim=pass (2048-bit key) header.d=kitterman.com header.b=c9LU9g1p
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Z_pVCI49R-n for <dmarc@ietfa.amsl.com>; Tue, 23 Oct 2018 03:58:39 -0700 (PDT)
Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7233130E02 for <dmarc@ietf.org>; Tue, 23 Oct 2018 03:58:38 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201803e; t=1540292315; h=from : to : subject : date : message-id : mime-version : content-transfer-encoding : content-type : from : subject : date; bh=qf9TxPLy1n5ERw9F9DT2e0F/ZUL5F45M3SAYbIHa7dk=; b=dY9P9xtn4OAg0UDFCs8m75rtb6XThNIYSYE695VGd5FyzBdieBbPo039 y5L/gq2K7FruDA914oyxR4lpPpiXDw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201803r; t=1540292315; h=from : to : subject : date : message-id : mime-version : content-transfer-encoding : content-type : from : subject : date; bh=qf9TxPLy1n5ERw9F9DT2e0F/ZUL5F45M3SAYbIHa7dk=; b=c9LU9g1pHJ5vUmKLnbgcXuCyW0VaujDHojww1DCI3mngm6tmyQJ4h1Ax gYBlMpnoON8VbI/IIbAP3wj1pbZYsM53itMVaIT+a00IvJCH0aPJ1utcZK oHNT/N6/rMYsISLShZhaoco+IsoxgHMyvcAvhEZwRS1bCra8A2y9T1KLKC WJZpKxP9kJhv6KAUL7PwSL+HhrqzwWGgFP0SLuOZD6MQRN2UVAytxBD5Dx UxfqSqv9LAojji2d0L8AzZqgyIbIz0PtLXwgyeqME9VF5pedhKGMMls8ik zO1CD1iYLjgmexWw0yUnSrD0WEJ1did9LqhFSrezE/5y9r2JvDCeHQ==
Received: from kitterma-e6430.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 822D7C400B5 for <dmarc@ietf.org>; Tue, 23 Oct 2018 05:58:35 -0500 (CDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Tue, 23 Oct 2018 06:58:33 -0400
Message-ID: <57062925.Z3iaeiTUnW@kitterma-e6430>
User-Agent: KMail/4.13.3 (Linux/3.13.0-158-generic; KDE/4.13.3; x86_64; ; )
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/22ou7wiYT8Lxiq_WhbVreOBLUro>
Subject: [dmarc-ietf] ARC Crypto Algorithm Selection
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Oct 2018 10:58:41 -0000
I've started looking at updating dkimpy to align to the current versions of the specification. Last time I looked at this particular issue, ARC could use any algorithm that DKIM uses. As I recall, that was once of the stimuli for the DCRUP working group (to avoid having rsa-sha1 be valid for ARC by obsoleting it in DKIM). It looks like this discussion has been moved to a new draft, https://tools.ietf.org/html/draft-ietf-dmarc-arc-multi-01 (although the reference is wrong, https://tools.ietf.org/html/draft-ietf-dmarc-arc-multi-02 is current. Unfortunately, I don't find any actual guidance on what algorithms are currently used. Secion 6, Phases of Algorithm Evolution, gives some process (which seriously needs revision - I thought we all knew flag days don't work at Internet scale), but no actual guidance. DKIM, as updated by the DCRUP work, has two valid crypto algorithms: rsa-sha256 ed25119-sha256 One has been obsoleted: rsa-sha1 Which among those is valid for ARC and how do I know? Scott K
- [dmarc-ietf] ARC Crypto Algorithm Selection Scott Kitterman
- Re: [dmarc-ietf] ARC Crypto Algorithm Selection Kurt Andersen (b)
- Re: [dmarc-ietf] ARC Crypto Algorithm Selection Seth Blank
- Re: [dmarc-ietf] ARC Crypto Algorithm Selection Hector Santos
- Re: [dmarc-ietf] ARC Crypto Algorithm Selection John Levine