Re: [ietf-dkim] small question in draft-ietf-dkim-base-00.txt on TXTrecord
Douglas Otis <dotis@mail-abuse.org> Mon, 20 February 2006 23:12 UTC
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FBKCb-0008By-QH for ietf-dkim-archive@lists.ietf.org; Mon, 20 Feb 2006 18:12:21 -0500
Received: from sb7.songbird.com ([208.184.79.137]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FBKCY-0001G5-Bz for ietf-dkim-archive@lists.ietf.org; Mon, 20 Feb 2006 18:12:21 -0500
Received: from sb7.songbird.com (sb7.songbird.com [127.0.0.1]) by sb7.songbird.com (8.12.11/8.12.11) with ESMTP id k1KN3JkW005204; Mon, 20 Feb 2006 15:03:19 -0800
Received: from a.mail.sonic.net (a.mail.sonic.net [64.142.16.245]) by sb7.songbird.com (8.12.11/8.12.11) with ESMTP id k1KN34Zb005173 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for <ietf-dkim@mipassoc.org>; Mon, 20 Feb 2006 15:03:04 -0800
Received: from [168.61.10.151] (SJC-Office-DHCP-151.Mail-Abuse.ORG [168.61.10.151]) (authenticated bits=0) by a.mail.sonic.net (8.13.3/8.13.3) with ESMTP id k1KN2PPD026918 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO); Mon, 20 Feb 2006 15:02:25 -0800
In-Reply-To: <198A730C2044DE4A96749D13E167AD3792AA8D@MOU1WNEXMB04.vcorp.ad.vrsn.com>
References: <198A730C2044DE4A96749D13E167AD3792AA8D@MOU1WNEXMB04.vcorp.ad.vrsn.com>
Mime-Version: 1.0 (Apple Message framework v746.2)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <BF0DA6BA-D75A-4FF7-BC6F-8753FFBDFE2D@mail-abuse.org>
Content-Transfer-Encoding: 7bit
From: Douglas Otis <dotis@mail-abuse.org>
Subject: Re: [ietf-dkim] small question in draft-ietf-dkim-base-00.txt on TXTrecord
Date: Mon, 20 Feb 2006 15:02:41 -0800
To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
X-Mailer: Apple Mail (2.746.2)
X-Songbird: Found to be clean, Found to be clean
Cc: IETF DKIM WG <ietf-dkim@mipassoc.org>
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Sender: ietf-dkim-bounces@mipassoc.org
Errors-To: ietf-dkim-bounces@mipassoc.org
X-SongbirdInformation: support@songbird.com for more information
X-Songbird-From: ietf-dkim-bounces@mipassoc.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4b800b1eab964a31702fa68f1ff0e955
On Feb 20, 2006, at 1:43 PM, Hallam-Baker, Phillip wrote: >> Douglas Otis wrote: >> >> DKIM should specify a binary structure used with the CERT RR. >> This RR already offers fields defining the critical hash >> algorithm, for example. By just specifying the hash used in >> signature header, once a hash algorithm is later discovered >> compromised, there is no means to keep bad actors from using this >> compromised hash algorithm for spoofing messages. It would appear >> the DKIM draft is not ready. > > The CERT RR is utterly useless for our purposes unless you are > confident in the ability of DNS to move DNS messages of at least > 2Kb reliably. 2048 bits represents 256 bytes of binary data easily and reliably stored using the #37 RR. In addition, the #37 Cert RR also provides a method to reference other key acquisition options in the event something is needed that DNS can not provide. http://www.ietf.org/internet-drafts/draft-ietf-dnsext-rfc2538bis-09.txt Value Mnemonic Certificate Type ----- -------- ---------------- 0 reserved 1 PKIX X.509 as per PKIX 2 SPKI SPKI certificate 3 PGP OpenPGP packet 4 IPKIX The URL of an X.509 data object 5 ISPKI The URL of an SPKI certificate 6 IPGP The URL of an OpenPGP packet 7 ACPKIX Attribute Certificate 8 IACPKIX The URL of an Attribute Certificate 9-252 available for IANA assignment 253 URI URI private 254 OID OID private 255-65023 available for IANA assignment 65024-65534 experimental 65535 reserved With a draft describing the data structure, this could be expanded to: Value Mnemonic Certificate Type ----- -------- ---------------- 9 DKIM DKIM Binary Key 10 IDKIM The URL of a DKIM Key Server > My expectation is that you end up in TCP/IP fallback as mandated in > the original DNS spec at 500 bytes. The minimum MTU of 576 bytes constrains DNS messages to 512 bytes. > If you can move packets of that size the need for binary encoding > vanishes. If the goal is to handle 2k bit keys, the need for binary encoding is paramount. Otherwise, something other than DNS is required, like a key server or perhaps DNSsec. : ( -Doug _______________________________________________ NOTE WELL: This list operates according to http://dkim.org/ietf-list-rules.html
- RE: [ietf-dkim] small question in draft-ietf-dkim… Hallam-Baker, Phillip
- Re: [ietf-dkim] small question in draft-ietf-dkim… Douglas Otis
- RE: [ietf-dkim] small question in draft-ietf-dkim… Hallam-Baker, Phillip
- Re: [ietf-dkim] small question in draft-ietf-dkim… Douglas Otis