Re: [ietf-dkim] New Issue: Base: Upgrade indication and protection against downgrade attacks
Douglas Otis <dotis@mail-abuse.org> Thu, 16 February 2006 18:30 UTC
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F9ntW-0008Dg-Se for ietf-dkim-archive@megatron.ietf.org; Thu, 16 Feb 2006 13:30:22 -0500
Received: from sb7.songbird.com (sb7.songbird.com [208.184.79.137]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA19414 for <ietf-dkim-archive@lists.ietf.org>; Thu, 16 Feb 2006 13:28:35 -0500 (EST)
Received: from sb7.songbird.com (sb7.songbird.com [127.0.0.1]) by sb7.songbird.com (8.12.11/8.12.11) with ESMTP id k1GIT9PX009810; Thu, 16 Feb 2006 10:29:09 -0800
Received: from b.mail.sonic.net (b.mail.sonic.net [64.142.19.5]) by sb7.songbird.com (8.12.11/8.12.11) with ESMTP id k1GISrBW009779 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=OK) for <ietf-dkim@mipassoc.org>; Thu, 16 Feb 2006 10:28:54 -0800
Received: from [168.61.10.151] (SJC-Office-DHCP-151.Mail-Abuse.ORG [168.61.10.151]) (authenticated bits=0) by b.mail.sonic.net (8.13.3/8.13.3) with ESMTP id k1GISE3o018280 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO); Thu, 16 Feb 2006 10:28:14 -0800
In-Reply-To: <20060216173645.15229.qmail@snake.corp.yahoo.com>
References: <20060215074634.94315.qmail@snake.corp.yahoo.com> <43F49B40.7030703@cs.tcd.ie> <43F4A4FC.3040406@mtcc.com> <43F4A669.80701@dcrocker.net> <20060216173645.15229.qmail@snake.corp.yahoo.com>
Mime-Version: 1.0 (Apple Message framework v746.2)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <8BA4313D-4269-4DE0-855D-D08E6F9DDF04@mail-abuse.org>
Content-Transfer-Encoding: 7bit
From: Douglas Otis <dotis@mail-abuse.org>
Subject: Re: [ietf-dkim] New Issue: Base: Upgrade indication and protection against downgrade attacks
Date: Thu, 16 Feb 2006 10:28:08 -0800
To: Mark Delany <MarkD+dkim@yahoo-inc.com>
X-Mailer: Apple Mail (2.746.2)
X-Songbird: Found to be clean, Found to be clean
Cc: ietf-dkim@mipassoc.org
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Sender: ietf-dkim-bounces@mipassoc.org
Errors-To: ietf-dkim-bounces@mipassoc.org
X-SongbirdInformation: support@songbird.com for more information
X-Songbird-From: ietf-dkim-bounces@mipassoc.org
Content-Transfer-Encoding: 7bit
On Feb 16, 2006, at 9:36 AM, Mark Delany wrote: > On Thu, Feb 16, 2006 at 08:20:57AM -0800, Dave Crocker allegedly > wrote: > >> I keep coming back to the very limited goal of DKIM and wondering >> whether the concern about a downgrade attack isn't just a little >> too esoteric for that goal. > > It happens that it also solves the agility requirement too. So even > if you're skeptical of downgrade attacks being relevant, we are > hoping - I presume - that DKIM will live for longer than the > current set of anointed algorithms and that we do need a way to > transition that doesn't require a forklift. Preventing hash related exploits with the 'a=' parameter within the signature header remains doubtful. The hash parameter should be indicated within the key information. If I followed this correctly, you suggested the hash information could be moved to the currently undefined selector, which makes upward definitions difficult. As the key must be located at the selector, there would be little advantage in using such an approach except to retain the limited (flawed) key definition even though DNS entries must change. Introducing a new hash algorithm also means introducing new client software. Perhaps modifying key content can also be resolved when transitioning to the use of the CERT RR. This CERT RR would allow key information to be stored in a binary form, include references to other types of key services, and properly defined the complete algorithms as needed for a secure design. : ) http://www.ietf.org/internet-drafts/draft-ietf-dnsext-rfc2538bis-09.txt This CERT RR has the algorithms defined within a fields specified within a key parameter, the safe method for defining the hash used. -Doug _______________________________________________ NOTE WELL: This list operates according to http://dkim.org/ietf-list-rules.html
- [ietf-dkim] New Issue: Base: Upgrade indication a… Mark Delany
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Stephen Farrell
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Dave Crocker
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Stephen Farrell
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Arvel Hathcock
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Mark Delany
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Arvel Hathcock
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Douglas Otis
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Michael Thomas
- [ietf-dkim] Re: New Issue: Base: Upgrade indicati… Frank Ellermann
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Eric Allman
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Stephen Farrell
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Stephen Farrell
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Mark Delany
- [ietf-dkim] Supporting alternate algorithms Dave Crocker
- [ietf-dkim] Re: Supporting alternate algorithms Stephen Farrell
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Stephen Farrell
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Mark Delany
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Stephen Farrell
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Eliot Lear
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Stephen Farrell
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Michael Thomas
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Dave Crocker
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Stephen Farrell
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Steve Atkins
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Dave Crocker
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Stephen Farrell
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Dave Crocker
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Stephen Farrell
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Mark Delany
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Mark Delany
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Mark Delany
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Dave Crocker
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Mark Delany
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Dave Crocker
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Douglas Otis
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Eliot Lear
- Re: [ietf-dkim] New Issue: Base: Upgrade indicati… Eliot Lear