IETF Logo Mail Archive

Re: [dmarc-ietf] Fwd: New Version Notification for draft-srose-dkim-ecc-00.txt

Brandon Long <blong@google.com> Fri, 07 April 2017 07:28 UTC

Return-Path: <blong@google.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E038C1287A5 for <dmarc@ietfa.amsl.com>; Fri, 7 Apr 2017 00:28:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XbX9S-r3Xcju for <dmarc@ietfa.amsl.com>; Fri, 7 Apr 2017 00:28:42 -0700 (PDT)
Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86E98126C25 for <dmarc@ietf.org>; Fri, 7 Apr 2017 00:28:42 -0700 (PDT)
Received: by mail-oi0-x22d.google.com with SMTP id b187so77323475oif.0 for <dmarc@ietf.org>; Fri, 07 Apr 2017 00:28:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=CwnDnUxiO4q12vHT0b6sx9ajFyFAcWkB8zr6F7h7RcI=; b=e6QOwCSuKKhgO5f3TzD8hWf92p+PAeVmhg5src2d5SiqJ4OsRgmrgV1mf38rmuaEPf QKgV+gPzvQInorgh1ojruiUAhImnGRCoD47C+7NWMkuUFqaYvUjWHkLvlnVmLSYCVfFy jUeRGllegciRYT3VkqtBgaJxJgAv3CCrIPYqPV6i1lKAQmXmMhIIcm2P7q9RcSqQmIMB NpjLKgrsVipcQocgN3Wfk5C7/DzBRNrSUyWqNOrfMzKG6e/91UPdTgBK+XoESid3vLO0 bs8KlCHbW98koRpoZ+ka4BAVeLdIgMKmO5dtEeWC+tScP0FLwAjtt//e6BZ0D/ZgpWat trHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=CwnDnUxiO4q12vHT0b6sx9ajFyFAcWkB8zr6F7h7RcI=; b=J07weXloWlghnCZCkvcTpmR5E353eil9uAIv5y+M5AFNElLKgIlb4zPbJBOYJFS5me a9zKmvRquBmB8mfR9gJ5JgOR108PcpTdlMWRoThvZ74uR5KokBZGgN+HMObPIPu3t1xC AB5GTX/pBFxvOLAwc179wlJqjqipveijeAI52bmroaQRKPadLfecDA7nkuuB8y9uo5/r r/EqmylOhbILm2cb1jaFGppXVE+ZweuMrXehl4/Thr9cNMU6KLu7g+qRuCu9ZuIvYm92 HiDJhTP+QDDVSMZvo/Ff85InrqlE9SKDYxP+k3O5oTjftjunUUQMz5En8demIL5Sql1z VyhQ==
X-Gm-Message-State: AFeK/H1g7Lj4e26qqkD7HdlWtW6nHUTPIhmx01HyYbozC1iWTKrORGyKV3XF76b4SMDQ6+D5Fb2FBk1l9gCP8NOp
X-Received: by 10.157.17.78 with SMTP id p14mr24161726otp.222.1491550121420; Fri, 07 Apr 2017 00:28:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.120.72 with HTTP; Fri, 7 Apr 2017 00:28:40 -0700 (PDT)
In-Reply-To: <20170406235815.47843.qmail@ary.lan>
References: <d91de205-05b4-0b59-b3a3-568fc0f57375@corp.mail.ru> <20170406235815.47843.qmail@ary.lan>
From: Brandon Long <blong@google.com>
Date: Fri, 07 Apr 2017 00:28:40 -0700
Message-ID: <CABa8R6v8xXgbhywVA4yEEsDDZ8RW7t49FHnX1rhDQUbeMWdwsg@mail.gmail.com>
To: John Levine <johnl@taugh.com>
Cc: "dmarc@ietf.org" <dmarc@ietf.org>, Vladimir Dubrovin <dubrovin@corp.mail.ru>
Content-Type: multipart/alternative; boundary="001a1145c770274a50054c8e930b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/vLGKWZx_gejt6OEjyNh4NHc3Ocs>
Subject: Re: [dmarc-ietf] Fwd: New Version Notification for draft-srose-dkim-ecc-00.txt
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Apr 2017 07:28:45 -0000

Should we add more hash algorithms?

Also, I'm very unclear of the benefit of the fp versions, adding nearly 400
bytes per signature to the message seems expensive, and in the arc case, an
extra 800 bytes per hop (nearly doubling the size of each hop) seems like
an odd compromise.  Maybe I'm being silly.

I know that many of the sending providers now provide the DNS directly for
DKIM keys, and so the end user domain only needs to put in CNAMEs, given
the need to rotate keys, that may be the more sane thing than expecting
anyone to routinely copy the large keys into DNS.

Brandon

On Thu, Apr 6, 2017 at 4:58 PM, John Levine <johnl@taugh.com> wrote:

> >1. produce 2 different DKIM-Signatures with 2 different selectors:
> >slector1  with SHA-1 + RSA and selector2 one with  SHA-512 + ECDSA
>
> Of course.
>
> >2. add an additional field to either selector1 DKIM DNS record (need to
> >consult RFC if it's allowed) or to DKIM-Signature with selector1 (it's
> >allowed but probably is not enough to protect against downgrade) to
> >indicate the selector is legacy-only, e.g. o=sha512/eccp256 to indicate
> >this selector should be ignored if verifier supports sha-512 and eccp256.
>
> No.  If the verifier is smart enough to understand new algorithms, it
> is smart enough to figure out which signature to prefer.  Also keep in
> mind that the legacy crypto is sha256/rsa1024 which is plenty strong
> for the forseeable future.
>
> R's,
> John
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email