IETF Logo Mail Archive

Re: [dmarc-ietf] Fwd: New Version Notification for draft-srose-dkim-ecc-00.txt

"John Levine" <johnl@taugh.com> Thu, 06 April 2017 23:58 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 826E9129631 for <dmarc@ietfa.amsl.com>; Thu, 6 Apr 2017 16:58:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qcDhlwdZBqWm for <dmarc@ietfa.amsl.com>; Thu, 6 Apr 2017 16:58:43 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9445E1296C1 for <dmarc@ietf.org>; Thu, 6 Apr 2017 16:58:41 -0700 (PDT)
Received: (qmail 31636 invoked from network); 6 Apr 2017 23:58:37 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 6 Apr 2017 23:58:37 -0000
Date: Thu, 06 Apr 2017 23:58:15 -0000
Message-ID: <20170406235815.47843.qmail@ary.lan>
From: John Levine <johnl@taugh.com>
To: dmarc@ietf.org
Cc: dubrovin@corp.mail.ru
In-Reply-To: <d91de205-05b4-0b59-b3a3-568fc0f57375@corp.mail.ru>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/jhCK_HoKv2O34RDJozRJPetPXQU>
Subject: Re: [dmarc-ietf] Fwd: New Version Notification for draft-srose-dkim-ecc-00.txt
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Apr 2017 23:58:44 -0000

>1. produce 2 different DKIM-Signatures with 2 different selectors:
>slector1  with SHA-1 + RSA and selector2 one with  SHA-512 + ECDSA

Of course.

>2. add an additional field to either selector1 DKIM DNS record (need to
>consult RFC if it's allowed) or to DKIM-Signature with selector1 (it's
>allowed but probably is not enough to protect against downgrade) to
>indicate the selector is legacy-only, e.g. o=sha512/eccp256 to indicate
>this selector should be ignored if verifier supports sha-512 and eccp256.

No.  If the verifier is smart enough to understand new algorithms, it
is smart enough to figure out which signature to prefer.  Also keep in
mind that the legacy crypto is sha256/rsa1024 which is plenty strong
for the forseeable future.

R's,
John

v2.23.0 | Report a Bug | By Email