IETF Logo Mail Archive

Re: [ietf-dkim] small question in draft-ietf-dkim-base-00.txt on TXTrecord

Douglas Otis <dotis@mail-abuse.org> Mon, 20 February 2006 23:12 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FBKCb-0008By-QH for ietf-dkim-archive@lists.ietf.org; Mon, 20 Feb 2006 18:12:21 -0500
Received: from sb7.songbird.com ([208.184.79.137]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FBKCY-0001G5-Bz for ietf-dkim-archive@lists.ietf.org; Mon, 20 Feb 2006 18:12:21 -0500
Received: from sb7.songbird.com (sb7.songbird.com [127.0.0.1]) by sb7.songbird.com (8.12.11/8.12.11) with ESMTP id k1KN3JkW005204; Mon, 20 Feb 2006 15:03:19 -0800
Received: from a.mail.sonic.net (a.mail.sonic.net [64.142.16.245]) by sb7.songbird.com (8.12.11/8.12.11) with ESMTP id k1KN34Zb005173 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for <ietf-dkim@mipassoc.org>; Mon, 20 Feb 2006 15:03:04 -0800
Received: from [168.61.10.151] (SJC-Office-DHCP-151.Mail-Abuse.ORG [168.61.10.151]) (authenticated bits=0) by a.mail.sonic.net (8.13.3/8.13.3) with ESMTP id k1KN2PPD026918 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO); Mon, 20 Feb 2006 15:02:25 -0800
In-Reply-To: <198A730C2044DE4A96749D13E167AD3792AA8D@MOU1WNEXMB04.vcorp.ad.vrsn.com>
References: <198A730C2044DE4A96749D13E167AD3792AA8D@MOU1WNEXMB04.vcorp.ad.vrsn.com>
Mime-Version: 1.0 (Apple Message framework v746.2)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <BF0DA6BA-D75A-4FF7-BC6F-8753FFBDFE2D@mail-abuse.org>
Content-Transfer-Encoding: 7bit
From: Douglas Otis <dotis@mail-abuse.org>
Subject: Re: [ietf-dkim] small question in draft-ietf-dkim-base-00.txt on TXTrecord
Date: Mon, 20 Feb 2006 15:02:41 -0800
To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
X-Mailer: Apple Mail (2.746.2)
X-Songbird: Found to be clean, Found to be clean
Cc: IETF DKIM WG <ietf-dkim@mipassoc.org>
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Sender: ietf-dkim-bounces@mipassoc.org
Errors-To: ietf-dkim-bounces@mipassoc.org
X-SongbirdInformation: support@songbird.com for more information
X-Songbird-From: ietf-dkim-bounces@mipassoc.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4b800b1eab964a31702fa68f1ff0e955

On Feb 20, 2006, at 1:43 PM, Hallam-Baker, Phillip wrote:
>>  Douglas Otis wrote:
>>
>> DKIM should specify a binary structure used with the CERT RR.   
>> This RR already offers fields defining the critical hash  
>> algorithm, for example.  By just specifying the hash used in  
>> signature header, once a hash algorithm is later discovered  
>> compromised, there is no means to keep bad actors from using this  
>> compromised hash algorithm for spoofing messages.  It would appear  
>> the DKIM draft is not ready.
>
> The CERT RR is utterly useless for our purposes unless you are  
> confident in the ability of DNS to move DNS messages of at least  
> 2Kb reliably.

2048 bits represents 256 bytes of binary data easily and reliably  
stored using the #37 RR.  In addition, the #37 Cert RR also provides  
a method to reference other key acquisition options in the event  
something is needed that DNS can not provide.

http://www.ietf.org/internet-drafts/draft-ietf-dnsext-rfc2538bis-09.txt

      Value  Mnemonic  Certificate Type
      -----  --------  ----------------
          0            reserved
          1  PKIX      X.509 as per PKIX
          2  SPKI      SPKI certificate
          3  PGP       OpenPGP packet
          4  IPKIX     The URL of an X.509 data object
          5  ISPKI     The URL of an SPKI certificate
          6  IPGP      The URL of an OpenPGP packet
          7  ACPKIX    Attribute Certificate
          8  IACPKIX   The URL of an Attribute Certificate
      9-252            available for IANA assignment
        253  URI       URI private
        254  OID       OID private
  255-65023            available for IANA assignment
  65024-65534          experimental
      65535            reserved


With a draft describing the data structure, this could be expanded to:
      Value  Mnemonic  Certificate Type
      -----  --------  ----------------
          9   DKIM      DKIM Binary Key
         10   IDKIM     The URL of a DKIM Key Server


> My expectation is that you end up in TCP/IP fallback as mandated in  
> the original DNS spec at 500 bytes.

The minimum MTU of 576 bytes constrains DNS messages to 512 bytes.


> If you can move packets of that size the need for binary encoding  
> vanishes.

If the goal is to handle 2k bit keys, the need for binary encoding is  
paramount.  Otherwise, something other than DNS is required, like a  
key server or perhaps DNSsec. : (


-Doug



_______________________________________________
NOTE WELL: This list operates according to 
http://dkim.org/ietf-list-rules.html

v2.23.0 | Report a Bug | By Email