IETF Logo Mail Archive

Re: [ietf-dkim] DKIM Key Sizes

Eliot Lear <lear@cisco.com> Fri, 28 October 2016 12:03 UTC

Return-Path: <ietf-dkim-bounces@mipassoc.org>
X-Original-To: ietfarch-ietf-dkim-archive@ietfa.amsl.com
Delivered-To: ietfarch-ietf-dkim-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6588B129AB8 for <ietfarch-ietf-dkim-archive@ietfa.amsl.com>; Fri, 28 Oct 2016 05:03:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.791
X-Spam-Level:
X-Spam-Status: No, score=-1.791 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KxEzFVmW31Hl for <ietfarch-ietf-dkim-archive@ietfa.amsl.com>; Fri, 28 Oct 2016 05:03:51 -0700 (PDT)
Received: from simon.songbird.com (simon.songbird.com [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AFD9129AB7 for <ietf-dkim-archive@ietf.org>; Fri, 28 Oct 2016 05:03:51 -0700 (PDT)
Received: from simon.songbird.com (simon.songbird.com [127.0.0.1]) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id u9SC3ZcZ002148; Fri, 28 Oct 2016 05:03:36 -0700
Authentication-Results: simon.songbird.com; dkim=fail reason="verification failed; unprotected key" header.d=cisco.com header.i=@cisco.com header.b=m0Q93Rcr; dkim-adsp=none (unprotected policy); dkim-atps=neutral
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id u9SC3VCp002144 (version=TLSv1/SSLv3 cipher=DHE-RSA-SEED-SHA bits=128 verify=NOT) for <ietf-dkim@mipassoc.org>; Fri, 28 Oct 2016 05:03:33 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4539; q=dns/txt; s=iport; t=1477656168; x=1478865768; h=subject:to:references:cc:from:message-id:date: mime-version:in-reply-to; bh=eR7xhl8gsvuElJX9rfLLAhaBy616yMi14lXDlj7/oxI=; b=m0Q93RcriYDrAu0AToIkl4ReqCfUtYQUqreSZ77gw/O6h9a2qYQFOpP5 MBIDAqbAQw18SWN/noUj641gl47BBMFPPcRnXFilL9qdGSxSTaPO6gAHT 9Bcx27YNAikjxR6tIyuL+nURhAZBGpPXT81RLHOPKYrZeaePk6usNr+Io M=;
X-Files: signature.asc : 481
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0C4AwAQPhNY/xbLJq1cGQEBAQEBAQEBAQEBBwEBAQEBgyoBAQEBAYEhpQiSMIIPggeGIwKCShIBAgEBAQEBAQFiKIRiAQEBAwEOFUIUEAsYFRUCAlcGAQwIAQGISAixIIx1AQEBAQEBAQEBAQEBAQEBAQESDog6CIFLgQWEGREBW4JFglsBBJoYg0OBeYN5hnKJcoYSkRAlCSYtJAYIhQw8hX6CKQEBAQ
X-IronPort-AV: E=Sophos;i="5.31,557,1473120000"; d="asc'?scan'208";a="647709483"
Received: from aer-iport-nat.cisco.com (HELO aer-core-3.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 Oct 2016 12:02:39 +0000
Received: from [10.61.162.190] ([10.61.162.190]) by aer-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id u9SC2dFr032558; Fri, 28 Oct 2016 12:02:39 GMT
To: Jon Callas <jon@callas.org>, Peter Goldstein <peter@valimail.com>
References: <CAOj=BA3TFzxnHHZ+-tpoMCWxhaGvOg0RREbcYbpzS9g3g8i=Qg@mail.gmail.com> <33093A9D-5406-4BEF-AE65-66696B664593@callas.org>
From: Eliot Lear <lear@cisco.com>
Message-ID: <041f61a9-df5a-5c67-6640-6b1c05bf6c9f@cisco.com>
Date: Fri, 28 Oct 2016 14:02:38 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <33093A9D-5406-4BEF-AE65-66696B664593@callas.org>
Cc: ietf-dkim@mipassoc.org
Subject: Re: [ietf-dkim] DKIM Key Sizes
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim/>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============2493399443505628166=="
Errors-To: ietf-dkim-bounces@mipassoc.org
Sender: ietf-dkim <ietf-dkim-bounces@mipassoc.org>

Hi Jon,

On 10/28/16 12:29 AM, Jon Callas wrote:
>
> > I'd like to suggest that it may be a good idea to increase the upper
> value to 4096 or even 8192, to ensure that the standard is compatible
> with best practices going forward.
>
> I don't object to increasing it in the standard, but operationally I
> don't think it's a good idea. Per-message processing cost is one
> reason, but the larger one is the semantic value of a DKIM signature,
> and what it is trying to do.
>
> DKIM is a conversation between two administrative domains, and a
> signature only states that an administrative domain is taking
> responsibility for placing the message in the message stream. Nothing
> more.

I really don't get your point.  Either the thing is worth signing or it
isn’t.  See below.
>
> That assurance comes at a cost of whatever integrity that assigns to a
> message that might have been unintended. That message integrity is a
> privacy loss by the users.
>
> The real-world case in point is the leaked Podesta emails, where some
> people have asserted that authenticity can be checked via the DKIM
> signatures. I've raised an eyebrow on that, and the bottom line is
> that you're presuming that attackers were sophisticated enough to
> steal the email, yet unsophisticated enough that stealing the DKIM key
> from an MTA is out of the question.

If it’s the same conversation I was engaged in, I think the person was
just confused.  A simpler approach to plausible deniability is simply
not to sign.  And further, just because a person can hack someone’s
personal message store, as seems to have happened to Podesta, doesn’t
mean that they can hack the private key out of Google.  Furthermore,
using the example above, the key would actually have to be around for a
while (e.g., not rotate out of DNS).  In fact, if the key really is
intended to verify the source over a longer period of time than, say,
delivery, certainly 512 is not enough.

>
> The full discussion is pretty nuanced, and I think the relevant part
> here is that if an administrative domain wants to protect the privacy
> of its users, it should be using *smaller* DKIM keys, not larger ones.
> I think I could convincingly argue that a privacy-friendly email
> provider is better off using 512 bit keys (where there's a chance of
> spam forgery) than 4K keys (where there's a chance of ruining the
> privacy of the customers). Now actually, I think the sweet spot for
> key size is above 512, but it's lower than 768. For maximum balance,
> you want the key to take longer than a week to crack, but less than a
> year, and change it every month. Or something like that. You get the idea.

Color me obtuse, but are you worried about the incentives to break into
the user's account or are you worried about the provider wanting to peer
into users' email in order to assure itself that it’s not spam?

Eliot



_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html

v2.23.0 | Report a Bug | By Email