IETF Logo Mail Archive

Re: [ietf-dkim] Today's jabber #1271: Binary algorithms and algorithm spoofing during a transition.

Douglas Otis <dotis@mail-abuse.org> Thu, 18 May 2006 20:39 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgpHi-0007kE-Ce for ietf-dkim-archive@lists.ietf.org; Thu, 18 May 2006 16:39:50 -0400
Received: from sb7.songbird.com ([208.184.79.137]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FgpHf-0004aQ-U8 for ietf-dkim-archive@lists.ietf.org; Thu, 18 May 2006 16:39:50 -0400
Received: from sb7.songbird.com (sb7.songbird.com [127.0.0.1]) by sb7.songbird.com (8.12.11.20060308/8.12.11) with ESMTP id k4IKXtZw018146; Thu, 18 May 2006 13:33:55 -0700
Received: from a.mail.sonic.net (a.mail.sonic.net [64.142.16.245]) by sb7.songbird.com (8.12.11.20060308/8.12.11) with ESMTP id k4IKXqLT018128 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-dkim@mipassoc.org>; Thu, 18 May 2006 13:33:52 -0700
Received: from [10.2.164.130] (SJC-Office-NAT-218.Mail-Abuse.ORG [168.61.10.218]) (authenticated bits=0) by a.mail.sonic.net (8.13.6/8.13.3) with ESMTP id k4IKXJDP012073 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO); Thu, 18 May 2006 13:33:19 -0700
In-Reply-To: <6677AD151581F16B12410C50@rieux.local>
References: <446C85F0.8090302@cs.tcd.ie> <446CA16F.3050705@att.com> <20060518173859.46403.qmail@snake.corp.yahoo.com> <446CC337.3080502@mtcc.com> <20060518192525.48153.qmail@snake.corp.yahoo.com> <6677AD151581F16B12410C50@rieux.local>
Mime-Version: 1.0 (Apple Message framework v750)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <C8548329-2A91-48C2-BBFE-AF1360AA2992@mail-abuse.org>
Content-Transfer-Encoding: 7bit
From: Douglas Otis <dotis@mail-abuse.org>
Subject: Re: [ietf-dkim] Today's jabber #1271: Binary algorithms and algorithm spoofing during a transition.
Date: Thu, 18 May 2006 13:33:17 -0700
To: Eric Allman <eric@neophilic.com>
X-Mailer: Apple Mail (2.750)
X-Songbird: Clean, Clean
Cc: Mark Delany <MarkD+dkim@yahoo-inc.com>, ietf-dkim@mipassoc.org
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Sender: ietf-dkim-bounces@mipassoc.org
Errors-To: ietf-dkim-bounces@mipassoc.org
X-SongbirdInformation: support@songbird.com for more information
X-Songbird-From: ietf-dkim-bounces@mipassoc.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 093efd19b5f651b2707595638f6c4003

On May 18, 2006, at 12:46 PM, Eric Allman wrote:

> I think it's valuable to have the base spec define a "must  
> implement" set of semantics.  Connecting that to the representation  
> will obviously differ depending on many things, not the least of  
> which being text vs. binary representations.
>
> Since -base is (now) only defining TXT, it seems to make sense for  
> that to remain the definition syntax.  [Posix tried to define  
> abstract semantics and then binding for each language.  This was a  
> disaster and after losing at least a year of time they went back to  
> using C as the definition language.]
>
> It probably does make sense clarifying that /any/ representation  
> has to include these basic values with the same semantics, but make  
> it clear that the syntax is specific to TXT records and may or may  
> not apply to others.  I tried to do that by saying that the defined  
> representation SHOULD be used for any text-based system, but  
> perhaps I didn't go far enough.


If the binary RR uses a binary representation for the algorithm, then  
within the base draft...

,---
| a= The algorithm used to generate the signature (plain-text;
| REQUIRED). Verifiers MUST support "rsa-sha1" and "rsa-sha256";
| signers SHOULD sign using "rsa-sha256". See Section 3.3 for a
| description of algorithms.
|
| ABNF:
|
| sig-a-tag = %x61 [FWS] "=" [FWS] sig-a-tag-alg
| sig-a-tag-alg = "rsa-sha1" / "rsa-sha256" / x-sig-a-tag-alg
| x-sig-a-tag-alg = hyphenated-word ; for later extension
'___


Could change to:

: a= (plain-text string or decimal positive integer
: representation of an 8-bit algorithm number used to
: generate the signature; REQUIRED). The number is
: defined in the algorithm table that supports the KEY, SIG,
: DNSKEY, RRSIG, DS, and CERT RRs. See RFC3110 and
: draft-ietf-dnsext-dnssec-rsasha256.
:
: Verifiers must support (5) RSA/SHA-1 and (tbd) RSA/SHA-256.
: ABNF:
:
: sig-a-tag = %x61 [FWS] "=" [FWS] sig-a-tag-alg
: sig-a-tag-alg = "rsa-sha1" / "rsasha256" / "5" / "tbd"
:
: Future algorithms will always be specified by number.

Or to avoid the draft dependency:

: a= (plain-text string or decimal positive integer
: representation of an 8-bit algorithm number used to
: generate the signature; REQUIRED).  When a number is used
: within the key, the same number MUST be used in the
: DKIM-Signature header field.
:
: Verifiers must support  rsa-sha-1 and rsasha256.
:
: ABNF:
:
: sig-a-tag = %x61 [FWS] "=" [FWS] sig-a-tag-alg
: sig-a-tag-alg = "rsa-sha1" / "rsasha256" / 1*(DIGIT)
:
: Future algorithms will always be specified by number.

	
-Doug




>
> --On May 18, 2006 7:25:25 PM +0000 Mark Delany <MarkD+dkim@yahoo- 
> inc.com> wrote:
>
>> On Thu, May 18, 2006 at 11:55:51AM -0700, Michael Thomas allegedly
>> wrote:
>>> Mark Delany wrote:
>>>
>>> >> OLD:	TXT records are encoded as described in Section 3.6.1.
>>> >>
>>> >>
>>> >
>>> > So I've circulated the draft DKK to a couple of people to get the
>>> > roughest edges off.
>>> >
>>> > One of the big questions asked in that draft relates to the
>>> > relationship between TXT and DKK semantics. Which one is
>>> > authoritative and which one is a mirror? Or should base be
>>> > authoritative and both the TXT and DKK simply be particular
>>> > representations?
>>> >
>>> >
>>> Is there really any reason to force one to be the master of the
>>> other?
>>
>> Simply to avoid duplication of semantics. I was merely asking which
>> text is the source of truth and where should it reside. Also,
>> presumably if a DKK springs into existence, the TXT may well be
>> frozen at some point with new functionality only going into the DKK
>> RR.
>>
>>
>> Mark.
>> _______________________________________________
>> NOTE WELL: This list operates according to
>> http://mipassoc.org/dkim/ietf-list-rules.html
>>
>
>
> _______________________________________________
> NOTE WELL: This list operates according to http://mipassoc.org/dkim/ 
> ietf-list-rules.html

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

v2.23.0 | Report a Bug | By Email