[secdir] Secdir review of draft-ietf-dcrup-dkim-usage-04
Magnus Nyström <magnusn@gmail.com> Tue, 12 September 2017 06:33 UTC
Return-Path: <magnusn@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0AA6132D40; Mon, 11 Sep 2017 23:33:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6wkSVOKERZk9; Mon, 11 Sep 2017 23:33:58 -0700 (PDT)
Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EF901329F9; Mon, 11 Sep 2017 23:33:55 -0700 (PDT)
Received: by mail-io0-x233.google.com with SMTP id d16so40589527ioj.3; Mon, 11 Sep 2017 23:33:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=o1+k8ItbwEnm/ROq3Fsf0OLdMjyLKgRjeO/bVRzmp1M=; b=Ip4xER8d4KPA3YCX+ahMu3atvOVMZ2bc581RbsjvZhh1ghuDHZ5f8b7LxuMJubXT9E LXPlt98d+xYjVX3lryxyOu2ZtWyHBnlqLlTzumIRxlZAToCVF6DCleecCTOhfFoK2cex uIwcVgz7y+ELnXw1WDZv+6bu4pLbNeauK6IlqxhCSewyYwbsJrDIK57skvQQIeonehOA vNULnWYK+jCLkV9gUVOQEaRIiYMF75OR+d9ak320ftlEKBV+/bdwj5T+t+QklHrJotXD HG2mkl1sMqa9+T0ry8FGFX8FvPOtQYOs+WX8kK9yJgoV0ouWaqQa+/xAbvnYtpgDt70I SxpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=o1+k8ItbwEnm/ROq3Fsf0OLdMjyLKgRjeO/bVRzmp1M=; b=pwMrr/JoM5bqAnIBoE5vODyAkSz7fkYhvyJz245VDlLAT7hW36mLvtAr2uMQELDeAg ZTovC3QT2PLUHmsAgn38gQqfYHopUrpsT9IRUdaZx625+pEIcs2jUwUbuixmOFFLnCg3 +lHCtf/xer8sSogAqvDgqNwbFqOWHShBM+8VJg8wuy6wfg8oOa17pHR2TnmdClJYABzv AH3J7PWkqB2YwnPw+wpkUU0dw5f5hadsIzKri976RiTsnPzW26jWVGUoKOAAJT6Rrw2B mZfBkyX5Bx3sgTZqYs8foCOT8e8JQgaqujtrANok/T3dkDPMrZozuYjPBlNGTOOVTni3 1org==
X-Gm-Message-State: AHPjjUhX8eGhWycs2lGx+URczp9pdY7ibTDEG5JoWhOF7vyfVGcqnH/Z lk7wadPr6sTEhgbTceigr6QRqtF5fA==
X-Google-Smtp-Source: AOwi7QCgx/oqUy4A/FT8fMnQT7bhWS0oryJC6mwIssVtdkX+U6TDS7MLwjIqIp4F+DLOLMuRpiNw49a3EZ4JcAdWxkE=
X-Received: by 10.202.87.196 with SMTP id l187mr15767611oib.103.1505198034164; Mon, 11 Sep 2017 23:33:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.58.42.197 with HTTP; Mon, 11 Sep 2017 23:33:53 -0700 (PDT)
From: Magnus Nyström <magnusn@gmail.com>
Date: Mon, 11 Sep 2017 23:33:53 -0700
Message-ID: <CADajj4aj4ndB-ohsvSRF_DjjpKkS0EMJbSV9kZFDe28e9e7HXg@mail.gmail.com>
To: "secdir@ietf.org" <secdir@ietf.org>, draft-ietf-dcrup-dkim-usage@ietf.org
Content-Type: multipart/alternative; boundary="001a113de80424a14d0558f83a49"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/XKkE-uOm_M7mjxGWVkSNDYiZI9c>
Subject: [secdir] Secdir review of draft-ietf-dcrup-dkim-usage-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Sep 2017 06:34:00 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document intends to update the DKIM specification with a new mandatory hash algorithm (SHA-256) and new RSA key size requirements. While I definitely agree with the stated direction, I do wonder about the RSA 1024 bit key size recommendation. Conventionally, this corresponds to about 80-bit security and to reach the equivalent of 128-bit security (which is what SHA-256 gives), a 3072-bit RSA key size should be recommended. In this day and age, mandating only 1024 bits seems a little weak. I recognize there may be limitations in the DNS records storing these keys, but it should be possible to store at least 2048-bit keys (256 bits) (corresponding roughly to 112-bit security) or at least close to it and thus why not require 2048 bit RSA keys as a minimum? 1024 bit keys are, as is also commonly known, considered "legacy" by NIST SP 800-57 part 1 and shouldn't be used for new signatures at this point. > -- Magnus
- [secdir] Secdir review of draft-ietf-dcrup-dkim-u… Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-dcrup-dk… Russ Housley
- Re: [secdir] Secdir review of draft-ietf-dcrup-dk… Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-dcrup-dk… Scott Kitterman
- Re: [secdir] Secdir review of draft-ietf-dcrup-dk… Salz, Rich