IETF Logo Mail Archive

Re: [dmarc-ietf] Fwd: New Version Notification for draft-srose-dkim-ecc-00.txt

"MH Michael Hammer (5304)" <MHammer@ag.com> Fri, 07 April 2017 18:58 UTC

Return-Path: <MHammer@ag.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24B03129583 for <dmarc@ietfa.amsl.com>; Fri, 7 Apr 2017 11:58:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VdqQTPBUz19Z for <dmarc@ietfa.amsl.com>; Fri, 7 Apr 2017 11:58:14 -0700 (PDT)
Received: from agwhqht.amgreetings.com (agwhqht.amgreetings.com [207.58.192.31]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEF2212704B for <dmarc@ietf.org>; Fri, 7 Apr 2017 11:58:13 -0700 (PDT)
Received: from USCLES544.agna.amgreetings.com ([fe80::f5de:4c30:bc26:d70a]) by USCLES533.agna.amgreetings.com ([::1]) with mapi id 14.03.0266.001; Fri, 7 Apr 2017 14:58:12 -0400
From: "MH Michael Hammer (5304)" <MHammer@ag.com>
To: Terry Zink <tzink@microsoft.com>, dmarc <dmarc@ietf.org>
Thread-Topic: [dmarc-ietf] Fwd: New Version Notification for draft-srose-dkim-ecc-00.txt
Thread-Index: AQHSrvvNqu4/0pctKkuxTAnboxyK5qG5HncAgAAp74CAAQVaAIAAM+kA///B35A=
Date: Fri, 07 Apr 2017 18:58:12 +0000
Message-ID: <CE39F90A45FF0C49A1EA229FC9899B052BDD2B1D@USCLES544.agna.amgreetings.com>
References: <d91de205-05b4-0b59-b3a3-568fc0f57375@corp.mail.ru> <20170406235815.47843.qmail@ary.lan> <CAOj=BA2P5e1o-QsZGAxGCV6rM1D=sNiL_ciL4BDtMkbQU1tSXA@mail.gmail.com> <CO2PR00MB01203E4C66FD0D68137CAB91A30C0@CO2PR00MB0120.namprd00.prod.outlook.com>
In-Reply-To: <CO2PR00MB01203E4C66FD0D68137CAB91A30C0@CO2PR00MB0120.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.144.6.157]
x-kse-attachmentfiltering-interceptor-info: protection disabled
x-kse-serverinfo: USCLES533.agna.amgreetings.com, 9
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean, bases: 4/7/2017 1:56:00 PM
x-kse-dlp-scaninfo: Skipped
Content-Type: multipart/alternative; boundary="_000_CE39F90A45FF0C49A1EA229FC9899B052BDD2B1DUSCLES544agnaam_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/nUVpt90xXUWXSE2uxjBJFrHR-sU>
Subject: Re: [dmarc-ietf] Fwd: New Version Notification for draft-srose-dkim-ecc-00.txt
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Apr 2017 18:58:17 -0000

This was forced by the web browser providers for SHA1. It’s being forced by the PCI DSS standard for use of TLS1.0. So it clearly ispossible.

Mike

From: dmarc [mailto:dmarc-bounces@ietf.org] On Behalf Of Terry Zink
Sent: Friday, April 07, 2017 2:39 PM
To: dmarc
Subject: Re: [dmarc-ietf] Fwd: New Version Notification for draft-srose-dkim-ecc-00.txt

One reason transitions are difficult because of implementation and deprecation ambiguity. If there’s no reason to move other than best practice, then no one will (or not enough will move).

Maybe we can build timelines into the updates. By Jan 1, 2019, receivers SHOULD (MUST?) no longer support the following key sizes or algorithms. That way, if anyone complains that a particular DKIM-signature is not considered valid, we can always say it’s RFC non-compliant.

For example, for supported TLS ciphers, Microsoft Office 365 publishes what algorithms are supported, along with timelines for deprecation: https://technet.microsoft.com/en-us/library/dn569286.aspx. If senders have problems with TLS connections, we point them to that documentation. Not everyone reads the documentation, but it is the way we advertise to the world what we do and don’t support.

--Terry

From: dmarc [mailto:dmarc-bounces@ietf.org] On Behalf Of Peter Goldstein
Sent: Friday, April 7, 2017 8:34 AM
To: John Levine <johnl@taugh.com<mailto:johnl@taugh.com>>
Cc: dmarc <dmarc@ietf.org<mailto:dmarc@ietf.org>>; Vladimir Dubrovin <dubrovin@corp.mail.ru<mailto:dubrovin@corp.mail.ru>>
Subject: Re: [dmarc-ietf] Fwd: New Version Notification for draft-srose-dkim-ecc-00.txt

John,

Really glad to see this.

Does this initiative include an intention to update the cryptographic guidance from RFC 6376 sections 3.3 and 3.3.3 ?  The proposed charter speaks of adding new algorithms, but doesn't discuss deprecating/removing old ones.

Some specific concerns are:

1. Expressly forbidding RSA keys < 1024 bits in size - While the fact that some major receivers ignore such keys has made this a de facto standard, it would be good for the RFCs to reflect best practice here.  And as we saw with the ARC discussion, using the DKIM spec as a reference can inadvertently result in new standards supporting known insecure practices.

2. Eliminating SHA-1 - Even at the time of publication RFC 6376 recommended that signers avoid the use of SHA-1.  Despite this, a simple check of my inbox shows that quite a few senders - including a number of large, sophisticated ESPs - still use SHA-1 in preference to SHA-256.  While the recent developed PDF collision attack against SHA-1 is not entirely on point, it seems to be further evidence that SHA-1 should not be used.  And given the widespread support for SHA-256, this seems like it's mostly a configuration issue for senders.

If these items don't belong in the charter for the new group, do they have a different natural home for discussion?

Thanks.

Best,

Peter
[https://t.yesware.com/t/d51e63df483c4f1bf32b47229814ba3f3b13fe44/32a480a2a05d0065fe5ce922b6d2d032/spacer.gif][http://t.yesware.com/t/d51e63df483c4f1bf32b47229814ba3f3b13fe44/32a480a2a05d0065fe5ce922b6d2d032/spacer.gif]

On Thu, Apr 6, 2017 at 4:58 PM, John Levine <johnl@taugh.com<mailto:johnl@taugh.com>> wrote:
>1. produce 2 different DKIM-Signatures with 2 different selectors:
>slector1  with SHA-1 + RSA and selector2 one with  SHA-512 + ECDSA

Of course.

>2. add an additional field to either selector1 DKIM DNS record (need to
>consult RFC if it's allowed) or to DKIM-Signature with selector1 (it's
>allowed but probably is not enough to protect against downgrade) to
>indicate the selector is legacy-only, e.g. o=sha512/eccp256 to indicate
>this selector should be ignored if verifier supports sha-512 and eccp256.

No.  If the verifier is smart enough to understand new algorithms, it
is smart enough to figure out which signature to prefer.  Also keep in
mind that the legacy crypto is sha256/rsa1024 which is plenty strong
for the forseeable future.

R's,
John

v2.23.0 | Report a Bug | By Email