Re: [ietf-dkim] DKIM Key Sizes
"Rolf E. Sonneveld" <R.E.Sonneveld@sonnection.nl> Fri, 28 October 2016 12:29 UTC
Return-Path: <ietf-dkim-bounces@mipassoc.org>
X-Original-To: ietfarch-ietf-dkim-archive@ietfa.amsl.com
Delivered-To: ietfarch-ietf-dkim-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6FDC1294F3 for <ietfarch-ietf-dkim-archive@ietfa.amsl.com>; Fri, 28 Oct 2016 05:29:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.791
X-Spam-Level:
X-Spam-Status: No, score=-1.791 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=sonnection.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lwxgpIdLawFw for <ietfarch-ietf-dkim-archive@ietfa.amsl.com>; Fri, 28 Oct 2016 05:29:10 -0700 (PDT)
Received: from simon.songbird.com (simon.songbird.com [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97891129ABD for <ietf-dkim-archive@ietf.org>; Fri, 28 Oct 2016 05:29:10 -0700 (PDT)
Received: from simon.songbird.com (simon.songbird.com [127.0.0.1]) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id u9SCT1tb003097; Fri, 28 Oct 2016 05:29:02 -0700
Authentication-Results: simon.songbird.com; dkim=fail reason="verification failed; unprotected key" header.d=sonnection.nl header.i=@sonnection.nl header.b=Y9WuMiX9; dkim-adsp=none (unprotected policy); dkim-atps=neutral
Received: from mx10.mailtransaction.com (mx10.mailtransaction.com [88.198.59.241]) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id u9SCSvbr003093 for <ietf-dkim@mipassoc.org>; Fri, 28 Oct 2016 05:28:59 -0700
Received: from mx14.mailtransaction.com (mx11.mailtransaction.com [88.198.59.230]) by mx10.mailtransaction.com (Postfix) with ESMTP id 3t53222gkwz5Mgw5; Fri, 28 Oct 2016 14:28:10 +0200 (CEST)
Received: from tiger.sonnection.nl (D57E1706.static.ziggozakelijk.nl [213.126.23.6]) by mx14.mailtransaction.com (Postfix) with ESMTP id 3t53221dMjz5MggG; Fri, 28 Oct 2016 14:28:10 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1]) by tiger.sonnection.nl (Postfix) with ESMTP id 0FB00421916; Fri, 28 Oct 2016 14:28:09 +0200 (CEST)
X-Virus-Scanned: amavisd-new at tiger.sonnection.nl
Received: from tiger.sonnection.nl ([127.0.0.1]) by localhost (tiger.sonnection.nl [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id EfQt11ZF8O0c; Fri, 28 Oct 2016 14:28:08 +0200 (CEST)
Received: from [192.168.40.49] (unknown [192.168.40.49]) by tiger.sonnection.nl (Postfix) with ESMTPSA id E9A5F4218F2; Fri, 28 Oct 2016 14:28:08 +0200 (CEST)
To: Eliot Lear <lear@cisco.com>, Jon Callas <jon@callas.org>, Peter Goldstein <peter@valimail.com>
References: <CAOj=BA3TFzxnHHZ+-tpoMCWxhaGvOg0RREbcYbpzS9g3g8i=Qg@mail.gmail.com> <33093A9D-5406-4BEF-AE65-66696B664593@callas.org> <041f61a9-df5a-5c67-6640-6b1c05bf6c9f@cisco.com>
From: "Rolf E. Sonneveld" <R.E.Sonneveld@sonnection.nl>
Organization: Sonnection B.V.
Message-ID: <472e8870-b2b8-c42e-2146-ad45750e2474@sonnection.nl>
Date: Fri, 28 Oct 2016 14:28:08 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <041f61a9-df5a-5c67-6640-6b1c05bf6c9f@cisco.com>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sonnection.nl; s=2009; t=1477657690; bh=PvJamZpu4WBC7GZF4h9/TKLR7aWWTIQk0rw3ssiRXo8=; h=Subject:To:From:Message-ID:Date:From; b=Y9WuMiX96b+xCzf5LhrZKp5bL/q72KRzqm5/6t2mbNRP5b3m3ZvpHvdjl1lYcEksU z0dQUjW8qZx3bymLvnpJRiR9dlnCHvqRbUGMd26YhuZFuzYoPY1ScW5Clao4d+Qgm7 HF2xggoG1UTtk6f+wnhc8lZuNmpAjguln1rSaVyo=
DKIM-Filter: OpenDKIM Filter v2.8.2 mx10.mailtransaction.com 3t53222gkwz5Mgw5
X-MIME-Autoconverted: from quoted-printable to 8bit by simon.songbird.com id u9SCSvbr003093
Cc: ietf-dkim@mipassoc.org
Subject: Re: [ietf-dkim] DKIM Key Sizes
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim/>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Content-Transfer-Encoding: base64
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Errors-To: ietf-dkim-bounces@mipassoc.org
Sender: ietf-dkim <ietf-dkim-bounces@mipassoc.org>
Hi, Eliot, On 28-10-16 14:02, Eliot Lear wrote: > Hi Jon, > > On 10/28/16 12:29 AM, Jon Callas wrote: >>> I'd like to suggest that it may be a good idea to increase the upper >> value to 4096 or even 8192, to ensure that the standard is compatible >> with best practices going forward. >> >> I don't object to increasing it in the standard, but operationally I >> don't think it's a good idea. Per-message processing cost is one >> reason, but the larger one is the semantic value of a DKIM signature, >> and what it is trying to do. >> >> DKIM is a conversation between two administrative domains, and a >> signature only states that an administrative domain is taking >> responsibility for placing the message in the message stream. Nothing >> more. > I really don't get your point. Either the thing is worth signing or it > isn’t. See below. >> That assurance comes at a cost of whatever integrity that assigns to a >> message that might have been unintended. That message integrity is a >> privacy loss by the users. >> >> The real-world case in point is the leaked Podesta emails, where some >> people have asserted that authenticity can be checked via the DKIM >> signatures. I've raised an eyebrow on that, and the bottom line is >> that you're presuming that attackers were sophisticated enough to >> steal the email, yet unsophisticated enough that stealing the DKIM key >> from an MTA is out of the question. > If it’s the same conversation I was engaged in, I think the person was > just confused. A simpler approach to plausible deniability is simply > not to sign. An end user often cannot choose to sign or not to sign. The end user is dependent on what the ESP or the employers organization configures. Well, of course one could change ESP... But changing employer is quite a step ;-) /rolf _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
- [ietf-dkim] DKIM Key Sizes Peter Goldstein
- Re: [ietf-dkim] DKIM Key Sizes Jon Callas
- Re: [ietf-dkim] Smaller keys/Bigger privacy (was:… Jon Callas
- Re: [ietf-dkim] DKIM Key Sizes Stephen Farrell
- Re: [ietf-dkim] DKIM Key Sizes Eliot Lear
- Re: [ietf-dkim] DKIM Key Sizes Rolf E. Sonneveld
- Re: [ietf-dkim] DKIM Key Sizes Eliot Lear
- Re: [ietf-dkim] DKIM Key Sizes Eliot Lear
- Re: [ietf-dkim] DKIM Key Sizes John R. Levine
- Re: [ietf-dkim] DKIM Key Sizes Martijn Grooten
- Re: [ietf-dkim] DKIM Key Sizes Roland Turner
- Re: [ietf-dkim] DKIM Key Sizes Peter Goldstein
- Re: [ietf-dkim] DKIM Key Sizes John R. Levine
- Re: [ietf-dkim] DKIM Key Sizes Jon Callas
- Re: [ietf-dkim] DKIM Key Sizes Scott Kitterman
- Re: [ietf-dkim] DKIM Key Sizes Jim Fenton
- Re: [ietf-dkim] DKIM Key Sizes Eliot Lear
- Re: [ietf-dkim] DKIM Key Sizes Brandon Long