IETF Logo Mail Archive

Re: [dmarc-ietf] Fwd: New Version Notification for draft-srose-dkim-ecc-00.txt

Brandon Long <blong@google.com> Thu, 06 April 2017 22:00 UTC

Return-Path: <blong@google.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3435129684 for <dmarc@ietfa.amsl.com>; Thu, 6 Apr 2017 15:00:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wt-jHGEFS3Zi for <dmarc@ietfa.amsl.com>; Thu, 6 Apr 2017 15:00:41 -0700 (PDT)
Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02080129680 for <dmarc@ietf.org>; Thu, 6 Apr 2017 15:00:25 -0700 (PDT)
Received: by mail-oi0-x22d.google.com with SMTP id d2so67405852oig.1 for <dmarc@ietf.org>; Thu, 06 Apr 2017 15:00:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=8oLkv7LZi/Rmc+E9N5tMV0ozOBlNdlHFsHCacbGZLYQ=; b=NZCTYC/7pfBXGb1YmR2KJ/ro24l/RV/W1omQu+cxHG5/jxyTTQc15UHxQcZGa3n3HV efFlHYM3JKcmHbtuHwxB01COkLK/pgqhyuMwjRAbz0o1Di8gGGWRUa5i12PcX2xfv8zo Vu/YoERAhsM/cfQvGuJUzgieeyHwfe0EhLgdnkTtqCKO0fTeaJyFhwZCpKExjXjNtxa2 Rpd4LsSLdlUgCZJor+PRCCSRK0lfg/1zQyOHXEkPFxIjfVVXx3Nzhy6F4bLJXgEpxOjK 4wtX9oXqubB7Y/y68bzj/fy9H/GErBd0Qo2fMLrkygZ2P+Zy2fF3QqXc5e9oi+UqZ+8G 4NNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=8oLkv7LZi/Rmc+E9N5tMV0ozOBlNdlHFsHCacbGZLYQ=; b=m0nNeMo4504vZW+pLQ7SWUgPKO2nf8OrE5ZlBxSvQEW1aEVSrwDYWqGUTbeV08Rb5v 7OfohnBwY/Dj2x59+0x+zpTbOj4FnKsm0JKELTK+ptoiSinFWWwZJWBNZ8VYPM77/+cQ ykZqYfWUIn8w6JrFJLi5CxMe4+49D1/vKnAh42Rb8eUgRoby71n9FO3aDr0SssL+MYAk 7yJOTqbWNjIXaXvtGvOw06VICYinZqsxIeMpGMBFcGkhqmLsN9GJ/UnOdiKiBcZ8POKP ktbwubwBel8nVzhDbUD9FtY81wMWRKmBfcIRlQio+u6i2XRDx1d57CAkxaRFfUL5Psl3 tUQg==
X-Gm-Message-State: AFeK/H32gUTjF7gTUiU2BqPHSLUtTUfEiRnsehd/WZCC7q9nReoWTQVzUbKRvkiAMoqzhYPQ9dj15G9csr5eKi+C
X-Received: by 10.202.216.84 with SMTP id p81mr15581377oig.193.1491516024853; Thu, 06 Apr 2017 15:00:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.120.72 with HTTP; Thu, 6 Apr 2017 15:00:24 -0700 (PDT)
In-Reply-To: <d91de205-05b4-0b59-b3a3-568fc0f57375@corp.mail.ru>
References: <149149960391.22024.11499305209108527807.idtracker@ietfa.amsl.com> <ac345fcc-ae8e-a92a-0ec3-4792529c865d@nist.gov> <d91de205-05b4-0b59-b3a3-568fc0f57375@corp.mail.ru>
From: Brandon Long <blong@google.com>
Date: Thu, 06 Apr 2017 15:00:24 -0700
Message-ID: <CABa8R6vXsv+EEka5L89ehwnTDZS6WEhOhOPAZngLPqxwsyQL3g@mail.gmail.com>
To: Vladimir Dubrovin <dubrovin@corp.mail.ru>
Cc: Scott Rose <scott.rose@nist.gov>, "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/related; boundary="001a113d2830d75985054c86a28f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/xRINwXDJarJXVVmX-OtgmujIsR4>
Subject: Re: [dmarc-ietf] Fwd: New Version Notification for draft-srose-dkim-ecc-00.txt
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Apr 2017 22:00:44 -0000

We also recently discussed having a new DKIM rfc revision to create a
registry of algorithms and allowed key lengths, so that we wouldn't need to
rev the rfc every time they changed, and also to incorporate into arc,
which will use similar signatures.

Discussed a bit here:
https://www.ietf.org/mail-archive/web/dmarc/current/msg03436.html

Brandon

On Thu, Apr 6, 2017 at 2:28 PM, Vladimir Dubrovin <dubrovin@corp.mail.ru>
wrote:

>
> Hello Scott,
>
> it may be good to cover compatibility issues, because otherwise there are
> little chances to succeed the older but more compatible protocols in
> nearest future.  The possible (but probably not the best one) solution is:
>
> 1. produce 2 different DKIM-Signatures with 2 different selectors:
> slector1  with SHA-1 + RSA and selector2 one with  SHA-512 + ECDSA
> 2. add an additional field to either selector1 DKIM DNS record (need to
> consult RFC if it's allowed) or to DKIM-Signature with selector1 (it's
> allowed but probably is not enough to protect against downgrade) to
> indicate the selector is legacy-only, e.g. o=sha512/eccp256 to indicate
> this selector should be ignored if verifier supports sha-512 and eccp256.
>
> Legacy verifier has valid DKIM-Signature with sha1+rsa
> Compatible verifier ignores sha1+rsa and choose sha-512+ECDSA
>
> I can imagine few more ways to resolve compatibility issues, but this one
> seems to be a simplest.
>
>
> 06.04.2017 20:32, Scott Rose пишет:
>
> This may be of interest to this group, as there isn't an active DKIM WG
> anymore.  This is my first attempt to produce a draft about defining new
> digital algorithms for DKIM.  I'm trying to keep this short i.e. only
> define a few IANA registry entries and that's it.
>
> I'm trying to head off a potential issue for organizations that are told
> to migrate to ECDSA or looking for algorithm agility that doesn't involve
> using SHA-1.
>
> Comments welcome and needed. Including being told this isn't needed
> (though I think it might be).
>
> Scott Rose
>
> NIST
>
>
>
> -------- Forwarded Message --------
> Subject:     New Version Notification for draft-srose-dkim-ecc-00.txt
> Date:     Thu, 6 Apr 2017 10:26:43 -0700
> From:     internet-drafts@ietf.org
> To:     Scott Rose <scott.rose@nist.gov> <scott.rose@nist.gov>
>
>
>
> A new version of I-D, draft-srose-dkim-ecc-00.txt
> has been successfully submitted by Scott Rose and posted to the
> IETF repository.
>
> Name:        draft-srose-dkim-ecc
> Revision:    00
> Title:        Defining Elliptic Curve Cryptography Algorithms for use with
> DKIM
> Document date:    2017-04-06
> Group:        Individual Submission
> Pages:        6
> URL:            https://www.ietf.org/internet-drafts/draft-srose-dkim-ecc-
> 00.txt
> Status:         https://datatracker.ietf.org/doc/draft-srose-dkim-ecc/
> Htmlized:       https://tools.ietf.org/html/draft-srose-dkim-ecc-00
> Htmlized:       https://datatracker.ietf.org/
> doc/html/draft-srose-dkim-ecc-00
>
>
> Abstract:
>    DomainKeys Identified Mail (DKIM) uses digital signature to associate
>    a message with a given sending domain.  Currently, there is only one
>    cryptography algorithm defined for use with DKIM (RSA).  This
>    document defines four new elliptic curve cryptography algorithms for
>    use with DKIM.  This will allow for algorithm agility if a weakness
>    is found in RSA, and allows for smaller key length to provide the
>    same digital signature strength.
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>
>
>
> --
> Vladimir Dubrovin
> [image: @Mail.Ru]
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>
>

v2.23.0 | Report a Bug | By Email