Re: [ietf-dkim] DKIM Key Sizes
Roland Turner <roland@rolandturner.com> Sun, 30 October 2016 10:12 UTC
Return-Path: <ietf-dkim-bounces@mipassoc.org>
X-Original-To: ietfarch-ietf-dkim-archive@ietfa.amsl.com
Delivered-To: ietfarch-ietf-dkim-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A43E12949E for <ietfarch-ietf-dkim-archive@ietfa.amsl.com>; Sun, 30 Oct 2016 03:12:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.11
X-Spam-Level:
X-Spam-Status: No, score=0.11 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=rolandturner.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PS0TTB1zrfCL for <ietfarch-ietf-dkim-archive@ietfa.amsl.com>; Sun, 30 Oct 2016 03:12:35 -0700 (PDT)
Received: from simon.songbird.com (simon.songbird.com [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2D23126B6D for <ietf-dkim-archive@ietf.org>; Sun, 30 Oct 2016 03:12:35 -0700 (PDT)
Received: from simon.songbird.com (simon.songbird.com [127.0.0.1]) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id u9UACO75006123; Sun, 30 Oct 2016 03:12:25 -0700
Authentication-Results: simon.songbird.com; dkim=permerror reason="key not found" header.d=rolandturner.com header.i=@rolandturner.com header.b=VnM7OxlZ; dkim-adsp=none (unprotected policy); dkim-atps=neutral
Received: from sg.rolandturner.com (sg.rolandturner.com [175.41.138.242]) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id u9UACKXb006119 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT) for <ietf-dkim@mipassoc.org>; Sun, 30 Oct 2016 03:12:22 -0700
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=rolandturner.com; s=0.rolandturner.com; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:To:From:References:Subject; bh=VUnqkDiuwedhL/YZJrhJZBfknS3Ti4j2W4QeHJqe3oY=; b=VnM7OxlZRelRxWcYxgHBTjUnRxRtmWL4D5TY/4mJRl101cZudwKacgS76Pg0LbTNrEN9Eryzp6QjivbJwTkhpFbZ1HvDah5DK5ZU2CQmwtV5Q6FPjDcKL5RsRCT5tQwSBjmckOpcKzAQZv1p7TZE+VqqOlmUbT2qm9nSqOG8FqA=;
Received: from [118.200.2.49] (port=42068 helo=[192.168.1.154]) by sg.rolandturner.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from <roland@rolandturner.com>) id 1c0n5M-0005CE-2g for ietf-dkim@mipassoc.org; Sun, 30 Oct 2016 10:11:28 +0000
References: <CAOj=BA3TFzxnHHZ+-tpoMCWxhaGvOg0RREbcYbpzS9g3g8i=Qg@mail.gmail.com> <33093A9D-5406-4BEF-AE65-66696B664593@callas.org> <041f61a9-df5a-5c67-6640-6b1c05bf6c9f@cisco.com> <472e8870-b2b8-c42e-2146-ad45750e2474@sonnection.nl> <1a80d63a-4539-1fc4-9e5a-47a3d92ce89e@cisco.com> <9709551e-8158-b347-73c1-acb93e8c25a1@dcrocker.net> <af9f2021-ada8-5bc6-be9f-402088465adc@cisco.com> <alpine.OSX.2.11.1610291218430.4949@ary.qy>
From: Roland Turner <roland@rolandturner.com>
To: ietf-dkim@mipassoc.org
Message-ID: <6de76f4f-3b1c-22aa-52c6-8b2e3c531ff7@rolandturner.com>
Date: Sun, 30 Oct 2016 18:11:27 +0800
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <alpine.OSX.2.11.1610291218430.4949@ary.qy>
Subject: Re: [ietf-dkim] DKIM Key Sizes
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim/>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0459898477789899541=="
Errors-To: ietf-dkim-bounces@mipassoc.org
Sender: ietf-dkim <ietf-dkim-bounces@mipassoc.org>
On 10/30/2016 01:04 AM, John R. Levine wrote:
> To get back to the previous argument, if you don't want people using
> DKIM to validate old messages, rotate the keys more often.
I'd suggest that as security services and political operatives have now
been alerted to the potential value of DKIM in validating leaks[1], any
realistic threat model now has to assume that the adversary/ies have
access to a complete DKIM public key history - at least for any sizeable
sender. Indeed:
* this may already have been happening for some time; and, depending
upon their means of information gathering[2]
* passive DNS operators may already have this capability as a
side-effect of what they've always done.
Those who are serious about plausible deniability can always use a
separate keypair per message and retire the public key after a long
enough interval for any likely delivery to take (60s? 2 minutes?),
thereby defeating all subsequent analysis, at least until/unless
ARC-signing by receivers becomes widespread. Whether this is a workable
approach, or whether the objective is even a good idea, appears to be a
long way out of scope for the DKIM specification.
> Deliberately weak signatures strike me as a poor alternative.
Agreed. Worse still, trying to simultaneously pursue the "long enough to
support abuse prevention" and "short enough to support non-repudiation"
creates either of two unworkable situations:
* If we're "lucky", the former is shorter than the latter and we can
tweak the recommended key length to stay within the gap on a regular
basis until the end of time.
* If we're unlucky, the former is longer than the latter and we've
taken on an impossible objective.
In practice, neither length is likely to be able to be determined with
sufficient precision to support realistic decision-making.
- Roland
1: not to a forensic standard perhaps, but certainly to make real-world
determinations about whether a leaked document has been tampered with
2: collecting cached DNS data vs. crawling the DNS
_______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
- [ietf-dkim] DKIM Key Sizes Peter Goldstein
- Re: [ietf-dkim] DKIM Key Sizes Jon Callas
- Re: [ietf-dkim] Smaller keys/Bigger privacy (was:… Jon Callas
- Re: [ietf-dkim] DKIM Key Sizes Stephen Farrell
- Re: [ietf-dkim] DKIM Key Sizes Eliot Lear
- Re: [ietf-dkim] DKIM Key Sizes Rolf E. Sonneveld
- Re: [ietf-dkim] DKIM Key Sizes Eliot Lear
- Re: [ietf-dkim] DKIM Key Sizes Eliot Lear
- Re: [ietf-dkim] DKIM Key Sizes John R. Levine
- Re: [ietf-dkim] DKIM Key Sizes Martijn Grooten
- Re: [ietf-dkim] DKIM Key Sizes Roland Turner
- Re: [ietf-dkim] DKIM Key Sizes Peter Goldstein
- Re: [ietf-dkim] DKIM Key Sizes John R. Levine
- Re: [ietf-dkim] DKIM Key Sizes Jon Callas
- Re: [ietf-dkim] DKIM Key Sizes Scott Kitterman
- Re: [ietf-dkim] DKIM Key Sizes Jim Fenton
- Re: [ietf-dkim] DKIM Key Sizes Eliot Lear
- Re: [ietf-dkim] DKIM Key Sizes Brandon Long