Re: [ietf-dkim] DKIM Key Sizes
Jon Callas <jon@callas.org> Thu, 27 October 2016 22:31 UTC
Return-Path: <ietf-dkim-bounces@mipassoc.org>
X-Original-To: ietfarch-ietf-dkim-archive@ietfa.amsl.com
Delivered-To: ietfarch-ietf-dkim-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C51F31294AF for <ietfarch-ietf-dkim-archive@ietfa.amsl.com>; Thu, 27 Oct 2016 15:31:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id emALQdVFo7og for <ietfarch-ietf-dkim-archive@ietfa.amsl.com>; Thu, 27 Oct 2016 15:31:26 -0700 (PDT)
Received: from simon.songbird.com (simon.songbird.com [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A70D812941C for <ietf-dkim-archive@ietf.org>; Thu, 27 Oct 2016 15:31:26 -0700 (PDT)
Received: from simon.songbird.com (simon.songbird.com [127.0.0.1]) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id u9RMURqU006035; Thu, 27 Oct 2016 15:30:29 -0700
Received: from mail.merrymeet.com (merrymeet.com [173.164.244.100]) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id u9RMUP8i006030 for <ietf-dkim@mipassoc.org>; Thu, 27 Oct 2016 15:30:26 -0700
Received: from localhost (localhost [127.0.0.1]) by mail.merrymeet.com (Postfix) with ESMTP id D0584A5AFF54 for <ietf-dkim@mipassoc.org>; Thu, 27 Oct 2016 15:29:39 -0700 (PDT)
Received: from mail.merrymeet.com ([127.0.0.1]) by localhost (merrymeet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M103J0T8f4re for <ietf-dkim@mipassoc.org>; Thu, 27 Oct 2016 15:29:28 -0700 (PDT)
Received: from keys.merrymeet.com (keys.merrymeet.com [173.164.244.97]) by mail.merrymeet.com (Postfix) with ESMTPSA id 6A2A4A5AFF36 for <ietf-dkim@mipassoc.org>; Thu, 27 Oct 2016 15:29:28 -0700 (PDT)
Received: from [17.244.165.138] ([17.244.165.138]) by keys.merrymeet.com (PGP Universal service); Thu, 27 Oct 2016 15:29:28 -0700
X-PGP-Universal: processed; by keys.merrymeet.com on Thu, 27 Oct 2016 15:29:28 -0700
Mime-Version: 1.0 (Mac OS X Mail 10.0 \(3226\))
From: Jon Callas <jon@callas.org>
In-Reply-To: <CAOj=BA3TFzxnHHZ+-tpoMCWxhaGvOg0RREbcYbpzS9g3g8i=Qg@mail.gmail.com>
Date: Thu, 27 Oct 2016 15:29:26 -0700
Message-Id: <33093A9D-5406-4BEF-AE65-66696B664593@callas.org>
References: <CAOj=BA3TFzxnHHZ+-tpoMCWxhaGvOg0RREbcYbpzS9g3g8i=Qg@mail.gmail.com>
To: Peter Goldstein <peter@valimail.com>
X-Mailer: Apple Mail (2.3226)
X-PGP-Encoding-Format: Partitioned
X-PGP-Encoding-Version: 2.0.2
X-Content-PGP-Universal-Saved-Content-Transfer-Encoding: quoted-printable
X-Content-PGP-Universal-Saved-Content-Type: text/plain; charset=us-ascii
X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by simon.songbird.com id u9RMUP8i006030
Cc: ietf-dkim@mipassoc.org
Subject: Re: [ietf-dkim] DKIM Key Sizes
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim/>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: ietf-dkim-bounces@mipassoc.org
Sender: ietf-dkim <ietf-dkim-bounces@mipassoc.org>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > On Oct 27, 2016, at 1:29 AM, Peter Goldstein <peter@valimail.com> wrote: > > Those guidelines ... specify that receivers MUST validate signatures of 512 to 2048 bits, but are not required to validate signatures with longer keys - may be worth revisiting given advances in computing power, the increasing importance of DKIM as an element of email authentication, and the reuse of these guidelines in other proposals (i.e. ARC). > [...] > I'd like to suggest that it may be a good idea to increase the upper value to 4096 or even 8192, to ensure that the standard is compatible with best practices going forward. I don't object to increasing it in the standard, but operationally I don't think it's a good idea. Per-message processing cost is one reason, but the larger one is the semantic value of a DKIM signature, and what it is trying to do. DKIM is a conversation between two administrative domains, and a signature only states that an administrative domain is taking responsibility for placing the message in the message stream. Nothing more. That assurance comes at a cost of whatever integrity that assigns to a message that might have been unintended. That message integrity is a privacy loss by the users. The real-world case in point is the leaked Podesta emails, where some people have asserted that authenticity can be checked via the DKIM signatures. I've raised an eyebrow on that, and the bottom line is that you're presuming that attackers were sophisticated enough to steal the email, yet unsophisticated enough that stealing the DKIM key from an MTA is out of the question. The full discussion is pretty nuanced, and I think the relevant part here is that if an administrative domain wants to protect the privacy of its users, it should be using *smaller* DKIM keys, not larger ones. I think I could convincingly argue that a privacy-friendly email provider is better off using 512 bit keys (where there's a chance of spam forgery) than 4K keys (where there's a chance of ruining the privacy of the customers). Now actually, I think the sweet spot for key size is above 512, but it's lower than 768. For maximum balance, you want the key to take longer than a week to crack, but less than a year, and change it every month. Or something like that. You get the idea. In any event, I don't object to changing it, but I do think that if someone's going to implement long keys, they're going to get criticism about enabling surveillance of their users. Jon -----BEGIN PGP SIGNATURE----- Version: PGP Universal 3.3.0 (Build 9060) Charset: us-ascii wsBVAwUBWBJ/yPaTaG6hZJn9AQi25gf/RKmX+4WUI+QatOiyiX0wKRsW2yZ8AGvE 8PYRnT+eB9a9QJ6xEBSllFC5DTO97Qwkdeob5rjpMEpgGC8XVujPN31kuFn0M9Hd diRpt0QSpT5VWIqVFoHv0kg1ucylJrjuDDQv8YbvKEwnSI7UDdWUilU7eZLxc341 B5D0jhAMbKnXFu6xQiTf+ANcpnpyaIOaQdfBo+4xsh1ZQ8ghgIT7gvSva3hfgFQy 1yIC5IikhMKUCIhBalu6y5hKdwLOHS+L9Fi8JTDSt3hdWQc9DQcYz4mCQqqZvOF8 qTs7pKKoJnn/+KkePZURH6xm6/yAVyK7/K5dux3qFuUc8QykRM6QHQ== =3qlc -----END PGP SIGNATURE----- _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
- [ietf-dkim] DKIM Key Sizes Peter Goldstein
- Re: [ietf-dkim] DKIM Key Sizes Jon Callas
- Re: [ietf-dkim] Smaller keys/Bigger privacy (was:… Jon Callas
- Re: [ietf-dkim] DKIM Key Sizes Stephen Farrell
- Re: [ietf-dkim] DKIM Key Sizes Eliot Lear
- Re: [ietf-dkim] DKIM Key Sizes Rolf E. Sonneveld
- Re: [ietf-dkim] DKIM Key Sizes Eliot Lear
- Re: [ietf-dkim] DKIM Key Sizes Eliot Lear
- Re: [ietf-dkim] DKIM Key Sizes John R. Levine
- Re: [ietf-dkim] DKIM Key Sizes Martijn Grooten
- Re: [ietf-dkim] DKIM Key Sizes Roland Turner
- Re: [ietf-dkim] DKIM Key Sizes Peter Goldstein
- Re: [ietf-dkim] DKIM Key Sizes John R. Levine
- Re: [ietf-dkim] DKIM Key Sizes Jon Callas
- Re: [ietf-dkim] DKIM Key Sizes Scott Kitterman
- Re: [ietf-dkim] DKIM Key Sizes Jim Fenton
- Re: [ietf-dkim] DKIM Key Sizes Eliot Lear
- Re: [ietf-dkim] DKIM Key Sizes Brandon Long