IETF Logo Mail Archive

Re: [dmarc-ietf] Fwd: New Version Notification for draft-srose-dkim-ecc-00.txt

Federico Santandrea <federico.santandrea@diennea.com> Fri, 07 April 2017 10:19 UTC

Return-Path: <federico.santandrea@diennea.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E9DC129436 for <dmarc@ietfa.amsl.com>; Fri, 7 Apr 2017 03:19:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RdtgdOcn2UqQ for <dmarc@ietfa.amsl.com>; Fri, 7 Apr 2017 03:18:59 -0700 (PDT)
Received: from mail3.informatica.it (mail3.informatica.it [151.99.189.163]) by ietfa.amsl.com (Postfix) with ESMTP id 9A15A127A91 for <dmarc@ietf.org>; Fri, 7 Apr 2017 03:18:58 -0700 (PDT)
To: dmarc@ietf.org
References: <d91de205-05b4-0b59-b3a3-568fc0f57375@corp.mail.ru> <20170406235815.47843.qmail@ary.lan> <1491556016.525223113@f391.i.mail.ru>
From: Federico Santandrea <federico.santandrea@diennea.com>
Message-ID: <30f3baa9-f13b-91b4-c931-a2fb6858243a@diennea.com>
Date: Fri, 07 Apr 2017 12:18:52 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <1491556016.525223113@f391.i.mail.ru>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-GatewayId: federico.santandrea=2.584357330016061233131705@diennea.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/FWIGbpaY8ZYkDkECV_A_6CCr14Q>
Subject: Re: [dmarc-ietf] Fwd: New Version Notification for draft-srose-dkim-ecc-00.txt
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Apr 2017 10:19:01 -0000

I agree that to avoid downgrade attacks there has to be a way to mark a
key as obsolete in the DNS, meaning: "don't use this key if you know
what this means". But I don't see a need to explicitly put another
algorithm name in the field.

For example, let's say an obsolete record can be marked with just "o=1"
to say it should only be considered by legacy verifiers who don't know
better. A new resolver would only consider keys that are NOT marked as
obsolete, and ignore the others. So if a message is only signed with
keys marked as obsolete (downgrade scenario), legacy verifiers would
pass, while new ones wouldn't.

Another thought:

If we want to put a meaningful value in this new field, I think it would
be more useful to make it the time since when the key was obsoleted,
this would allow for mail dated before that moment (which was correctly
signed only with then-not-obsolete keys) to pass verification. This
should be optional, so one could choose if he rather have some valid
mail fail verification, or risk some invalid back-dated mail pass
verification.

--
Federico

On 07/04/2017 11:06, Vladimir Dubrovin wrote:
> Without marking the published key as obsolete, downgrade attack is
> possible, because attacker can still use a weaker key to spoof
> signature.
>
> пятница, 07 апреля 2017г., 02:58 +03:00 от John Levine
> johnl@taugh.com <mailto:johnl@taugh.com>:
>
>> 1. produce 2 different DKIM-Signatures with 2 different selectors:
>>  slector1 with SHA-1 + RSA and selector2 one with SHA-512 + ECDSA
>
> Of course.
>
>> 2. add an additional field to either selector1 DKIM DNS record
>> (need to consult RFC if it's allowed) or to DKIM-Signature with
>> selector1 (it's allowed but probably is not enough to protect
>> against downgrade) to indicate the selector is legacy-only, e.g.
>> o=sha512/eccp256 to indicate this selector should be ignored if
>> verifier supports sha-512 and
> eccp256.
>
> No. If the verifier is smart enough to understand new algorithms, it
>  is smart enough to figure out which signature to prefer. Also keep
> in mind that the legacy crypto is sha256/rsa1024 which is plenty
> strong for the forseeable future.
>
> R's, John
>

v2.23.0 | Report a Bug | By Email