IETF Logo Mail Archive

Re: [Ietf-dkim] RFC 8463: DNS textual form underspecified

Steffen Nurpmeso <steffen@sdaoden.eu> Sun, 14 April 2024 19:14 UTC

Return-Path: <steffen@sdaoden.eu>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADC65C14F5FC for <ietf-dkim@ietfa.amsl.com>; Sun, 14 Apr 2024 12:14:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sdaoden.eu header.b="CZZjHVmE"; dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=sdaoden.eu header.b="xof3kreQ"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ta10K7PmdkGe for <ietf-dkim@ietfa.amsl.com>; Sun, 14 Apr 2024 12:14:01 -0700 (PDT)
Received: from sdaoden.eu (sdaoden.eu [217.144.132.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83008C14F5FB for <ietf-dkim@ietf.org>; Sun, 14 Apr 2024 12:13:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sdaoden.eu; s=citron; t=1713122037; x=1713788703; h=date:author:from:to:cc:subject: message-id:in-reply-to:references:mail-followup-to:openpgp:blahblahblah: mime-version:content-type:content-transfer-encoding:author:from:subject: date:to:cc:resent-date:resent-from:resent-to:resent-cc:in-reply-to: references:mime-version:content-type:content-transfer-encoding:message-id: mail-followup-to:openpgp:blahblahblah; bh=YO7fzhSuIW6Amlimi3e/ObpNWMHoMRbctdRyOjfYlI0=; b=CZZjHVmEVjkrk26ZvXRzcKzPA8e9ctPCJD8AzdjXjfkUL/oEJ6OUGbwzvXcGw22HrHlz21Ub yUVqqPw3ySIF9WWYrtAJ9yAPUfcZnGgUw8CZU0ujnO019LmeZR547GeZ9XXzklbJJP4QbvTMO4 u/Dir4whgjAs07wM8m5cOJQxG1gfSqFvCoZIOB9f+G21YnlfScOtZCk3rZAXqsU7K8Z9ELNFS9 SPfUKNwNydsYnalETK4vBcT1sChPLLdzxY74T5SU7Gzcayw5woRrGU8xz8bBeRbXLGWAJ9gQRD XQCdm9R/dTcFLCMe46tREsfE2p2hfIHlz3F8f+CP8il/T0Og==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=sdaoden.eu; s=orange; t=1713122037; x=1713788703; h=date:author:from:to:cc:subject: message-id:in-reply-to:references:mail-followup-to:openpgp:blahblahblah: mime-version:content-type:content-transfer-encoding:author:from:subject: date:to:cc:resent-date:resent-from:resent-to:resent-cc:in-reply-to: references:mime-version:content-type:content-transfer-encoding:message-id: mail-followup-to:openpgp:blahblahblah; bh=YO7fzhSuIW6Amlimi3e/ObpNWMHoMRbctdRyOjfYlI0=; b=xof3kreQEC9QbJI5jQj9oz9PKzOusi1d1Hr6M+1wHDMG5wy4X20WrzT6QwRon6bVcQhbWBDw P7Lkydhf2erHBg==
Date: Sun, 14 Apr 2024 21:13:55 +0200
Author: Steffen Nurpmeso <steffen@sdaoden.eu>
From: Steffen Nurpmeso <steffen@sdaoden.eu>
To: Scott Kitterman <ietf-dkim@kitterman.com>
Cc: ietf-dkim@ietf.org
Message-ID: <20240414191355.gv5mVHtn@steffen%sdaoden.eu>
In-Reply-To: <2C92EB24-3332-436C-A0BB-D4BAC33220F2@kitterman.com>
References: <20240414005126.pzjJO4pr@steffen%sdaoden.eu> <5368AC9A-51D5-4AEC-AB19-613DBEAD7C5B@kitterman.com> <20240414015307.JiO8yjFG@steffen%sdaoden.eu> <2C92EB24-3332-436C-A0BB-D4BAC33220F2@kitterman.com>
Mail-Followup-To: Scott Kitterman <ietf-dkim@kitterman.com>, ietf-dkim@ietf.org
User-Agent: s-nail v14.9.24-612-g7e3bfac540
OpenPGP: id=EE19E1C1F2F7054F8D3954D8308964B51883A0DD; url=https://ftp.sdaoden.eu/steffen.asc; preference=signencrypt
BlahBlahBlah: Any stupid boy can crush a beetle. But all the professors in the world can make no bugs.
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/mtr8Btu_TZ2KMHHB8jN1GIEG90c>
Subject: Re: [Ietf-dkim] RFC 8463: DNS textual form underspecified
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Apr 2024 19:14:07 -0000

Scott Kitterman wrote in
 <2C92EB24-3332-436C-A0BB-D4BAC33220F2@kitterman.com>:
 |On April 14, 2024 1:53:07 AM UTC, Steffen Nurpmeso <steffen@sdaoden.eu> \
 |wrote:
 |>Scott Kitterman wrote in
 |> <5368AC9A-51D5-4AEC-AB19-613DBEAD7C5B@kitterman.com>:
 |>|On April 14, 2024 12:51:26 AM UTC, Steffen Nurpmeso <steffen@sdaoden.eu> \
 |>|>Thanks to Hanno Böck (known from ossec and more) i was pointed to
 |>|>my falsely published ED25519 DKIM key.
 |>|>Until now that simply was the complete ED25519 public key, just
 |>|>like for RSA, instead of extracting the actual "bitstring data"
 |>|>from the standardized ASN.1 container, which starts at offset 16
 |>|>(or -offset=12 if you use "openssl asn1parse -noout -out -" aka
 |>|>the binary blob).
 |>|>
 |>|>I realize that RFC 8463 says repeatedly that the base64-encoded
 |>|>representation of an ED25519 key is 44 bytes, and that the
 |>|>examples go for this.  Still there is no wording that the entire
 |>|>ASN.1 structure shall be thrown away.
 |>|
 |>|At the time we wrote what became RFC 8463, ASN.1 for ED25519 was not \
 |>|specified yet.  Openssl didn't support ED25119 either.  I'm not sure \
 |>|what you think we should have put in that we didn't.
 |>|
 |>|It seems to me that you are saying that the RFC is correct and clear, \
 |>|but that you were certain you knew better than the RFC.  That's not \
 |>|a thing an RFC can fix.
 |>
 |>There *is* RFC 8410 to which 8463 refers, around the same time.
 |>It defines exactly this, no?  It says there are no further
 |>parameters, but it does not say "hey so you can go and just leave
 |>that niche container off".
 |>Sure it is 44 bytes, but the entire thing is 64.
 |>It is de-facto only the single example in A.2 which reveals the
 |>total ignorance of ASN.1, and it is about brisbane and football,
 |>which i cannot glue together (letting aside it is written by an
 |>american, and who knows what kind of "football" that is?, as
 |>i seem to know they say "soccer" for what i would think, but it is
 |>4am so i do not truly think anyhow.  Saturday night all right for
 |>fighting, ah.)  (OpenSSL in mid 2017, at least a bit.)
 |>Thus: smart, very smart.  Is always too smart for some.
 |>Just leave them behind.
 |
 |I don't see it?  Where is the reference to 8410?

Yes you are right.  8463 only refers to 8032, and does not mention
8410 at all.  This is a complete misunderstanding.  I have 8410
since February 2023, and 8032 since 31st of January this year,
coming from a completely different background, having read 5480
(Elliptic Curve Cryptography Subject Public Key Information) and
more in the past, and am a CMS and x.509 "fanatic".

I think now that i understand that 8463 just "invents its own
protocol" instead of embedding itself into the CMS / X509 / PKI
infrastructure i no longer like it at all.  What a mess.  It is
Wireguard VPN / SSH etc raw algorithm logic!

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

v2.23.0 | Report a Bug | By Email