From federico.santandrea@diennea.com Wed May 10 02:05:27 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0575C120726 for ; Wed, 10 May 2017 02:05:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.798 X-Spam-Level: X-Spam-Status: No, score=0.798 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MczU2pnbUQt7 for ; Wed, 10 May 2017 02:05:25 -0700 (PDT) Received: from mail3.informatica.it (mail3.informatica.it [151.99.189.163]) by ietfa.amsl.com (Postfix) with ESMTP id B202F12706D for ; Wed, 10 May 2017 02:05:24 -0700 (PDT) From: Federico Santandrea To: dcrup@ietf.org Message-ID: <6e2047d1-aef2-8217-8514-5554dc535197@diennea.com> Date: Wed, 10 May 2017 11:05:20 +0200 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-GatewayId: federico.santandrea=2.384601420016073932580062@diennea.com Archived-At: Subject: [Dcrup] Explicit key fingerprint algorithm? X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2017 09:06:26 -0000 From draft-ietf-dcrup-dkim-crypto-00: > The DNS record contains a sha-256 hash of the public key, stored in > base64 in the p= tag. The key type tag MUST be present and contains > k=rsafp or k=ecdhfp. Could it be more future-proof to just say "contains a hash" and let the registered values be "k=rsafp-sha256" and "k=ecdhfp-sha256"? I am not saying that we need more algorithms right now, SHA-256 is fine; but should the need arise to add others in the future, we would end up with a mix of implicit and explicit fingerprint algorithm designations. On the other hand, at the moment this would be just a waste of precious characters in the DNS record compared to just having an agreed, sensible algorithm. (One could also add another tag to the same end, but that sounds like an unnecessary complication to me.) -- Federico From nobody Wed May 10 08:48:02 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02020129BCE for ; Wed, 10 May 2017 08:48:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.58 X-Spam-Level: * X-Spam-Status: No, score=1.58 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TsqETArBLioh for ; Wed, 10 May 2017 08:48:00 -0700 (PDT) Received: from miucha.iecc.com (w6.iecc.com [IPv6:2001:470:1f07:1126::4945:4343]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFA8E129527 for ; Wed, 10 May 2017 08:47:59 -0700 (PDT) Received: (qmail 21306 invoked from network); 10 May 2017 15:47:58 -0000 Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 10 May 2017 15:47:58 -0000 Date: 10 May 2017 15:47:36 -0000 Message-ID: <20170510154736.29541.qmail@ary.lan> From: "John Levine" To: dcrup@ietf.org Cc: federico.santandrea@diennea.com In-Reply-To: <6e2047d1-aef2-8217-8514-5554dc535197@diennea.com> Organization: X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [Dcrup] Explicit key fingerprint algorithm? X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2017 15:48:01 -0000 In article <6e2047d1-aef2-8217-8514-5554dc535197@diennea.com> you write: > From draft-ietf-dcrup-dkim-crypto-00: > >> The DNS record contains a sha-256 hash of the public key, stored in >> base64 in the p= tag. The key type tag MUST be present and contains >> k=rsafp or k=ecdhfp. > >Could it be more future-proof to just say "contains a hash" and let >the registered values be "k=rsafp-sha256" and "k=ecdhfp-sha256"? I suppose. The goal here is to add the smallest number of new algorithms and representations that will keep DKIM reasonably secure for the forseeable future. The more we add, the more chances there are for implementations not to interoperate. So I don't care where the reference to SHA-256 is, so long as we agree that what we actually add today is SHA-256 only. R's, John From nobody Wed May 10 09:03:33 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E654D1292FC for ; Wed, 10 May 2017 09:03:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AVp0wNNSu2kz for ; Wed, 10 May 2017 09:03:30 -0700 (PDT) Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC652126CF6 for ; Wed, 10 May 2017 09:03:30 -0700 (PDT) Received: from pps.filterd (m0050095.ppops.net [127.0.0.1]) by m0050095.ppops.net-00190b01. (8.16.0.21/8.16.0.21) with SMTP id v4AG0Nr1002283; Wed, 10 May 2017 17:03:08 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=jan2016.eng; bh=x+AttV+dwc+lCqedNVqsnJb6A3zcRuia1LXmHeCHg10=; b=dXXGLlJMcKgQ+qNTAOfmw7GdEdL/EwzO+SCHK/dfYlwvTxXeo6H/IIHF12L6+mObbKEe 4LNrMDLU1NCmsqK9y7r99jnXns+i6+DRMaCm162e8tJ8DpiAs+sbLT+os3ZeXnLqalWh 6rBgmfgbQNkdQ7wjKudzVyADbtDe+M+hkNn81/LT77ghlSGTc7wS05cdToOt5ADn/qhy 4gwmVpkn5xxbHBd5N2NNgd/qKoVEnGwz2ApG5VdR5MhYdlHlYWXml+4sh3oz++ljh2Z4 /a9QOcmVRttxYCU1UxySkJm0wf0zkNCAVrS+9cH/L48gqtTTluhEbFQjn4QGkByEkDXn JQ== Received: from prod-mail-ppoint2 (a184-51-33-19.deploy.static.akamaitechnologies.com [184.51.33.19] (may be forged)) by m0050095.ppops.net-00190b01. with ESMTP id 2abynbabeu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 10 May 2017 17:03:07 +0100 Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.17/8.16.0.17) with SMTP id v4AFjsKM021804; Wed, 10 May 2017 12:03:06 -0400 Received: from email.msg.corp.akamai.com ([172.27.123.31]) by prod-mail-ppoint2.akamai.com with ESMTP id 2a99tuqng4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 10 May 2017 12:03:06 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb3.msg.corp.akamai.com (172.27.123.103) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 10 May 2017 12:03:05 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1263.000; Wed, 10 May 2017 12:03:04 -0400 From: "Salz, Rich" To: John Levine , "dcrup@ietf.org" CC: "federico.santandrea@diennea.com" Thread-Topic: [Dcrup] Explicit key fingerprint algorithm? Thread-Index: AQHSyWy4v7pHA3rb0EKzUnd4G4xNXqHt+bIA//++vKA= Date: Wed, 10 May 2017 16:03:04 +0000 Message-ID: <561920c316d84cb2afd23e1e27183788@usma1ex-dag1mb1.msg.corp.akamai.com> References: <6e2047d1-aef2-8217-8514-5554dc535197@diennea.com> <20170510154736.29541.qmail@ary.lan> In-Reply-To: <20170510154736.29541.qmail@ary.lan> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.32.197] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-05-10_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705100107 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-05-10_12:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705100108 Archived-At: Subject: Re: [Dcrup] Explicit key fingerprint algorithm? X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2017 16:03:32 -0000 > >Could it be more future-proof to just say "contains a hash" and let the > >registered values be "k=3Drsafp-sha256" and "k=3Decdhfp-sha256"? >=20 > I suppose. The goal here is to add the smallest number of new algorithms > and representations that will keep DKIM reasonably secure for the > forseeable future.=20 A related discussion is happening in the curdle group, where some want the = hash specified (as an "identity" hash) for Ed448 and others don't (as SHA51= 2 is implied). I suggest that this group look closely at draft-ietf-curdle-cms-eddsa-signa= tures for its signature algorithms. The digest isn't required as a parame= ter, and it's SHA512.=20 From nobody Fri May 19 04:58:32 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 529D112EBC4 for ; Fri, 19 May 2017 04:58:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.022 X-Spam-Level: X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=juniper.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VSFENffflmgw for ; Fri, 19 May 2017 04:58:29 -0700 (PDT) Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0106.outbound.protection.outlook.com [104.47.41.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F45312EBD5 for ; Fri, 19 May 2017 04:51:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=HC2SuYVVKR9PvEmMRoCnZSkr6Awy+t1bKHMIyu5RYKE=; b=PPegKdRjjK4RqMFG6kbz8oEFqmknxkLx/0sKoLj13ytd7IswUwVsUAdlQSSABlAiZH1HBls+69xlnwuJv6/JSx28S9m6vcv+pvK1T1SF2OmK7cV15/FypE7J8CzLb/A09yG+tG2/R09+wm8zskwKfJ3EH0G50BJ2AEZWbpmEYmg= Received: from BY2PR05CA035.namprd05.prod.outlook.com (10.141.250.25) by BY2PR05MB1974.namprd05.prod.outlook.com (10.163.32.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1101.8; Fri, 19 May 2017 11:51:50 +0000 Received: from CO1NAM05FT015.eop-nam05.prod.protection.outlook.com (2a01:111:f400:7e50::207) by BY2PR05CA035.outlook.office365.com (2a01:111:e400:2c5f::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1124.5 via Frontend Transport; Fri, 19 May 2017 11:51:50 +0000 Authentication-Results: spf=softfail (sender IP is 66.129.239.12) smtp.mailfrom=juniper.net; akamai.com; dkim=none (message not signed) header.d=none;akamai.com; dmarc=fail action=none header.from=juniper.net; Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.12 as permitted sender) Received: from p-emfe01a-sac.jnpr.net (66.129.239.12) by CO1NAM05FT015.mail.protection.outlook.com (10.152.96.122) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256) id 15.1.1075.12 via Frontend Transport; Fri, 19 May 2017 11:51:49 +0000 Received: from p-mailhub01.juniper.net (10.160.2.17) by p-emfe01a-sac.jnpr.net (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Fri, 19 May 2017 04:51:48 -0700 Received: from eng-mail01.juniper.net (eng-mail01.juniper.net [172.17.28.114]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id v4JBpmNp010112; Fri, 19 May 2017 04:51:48 -0700 (envelope-from mdb@juniper.net) Received: from eng-mail01.juniper.net (localhost [127.0.0.1]) by eng-mail01.juniper.net (Postfix) with ESMTP id D6F391144E; Fri, 19 May 2017 04:51:47 -0700 (PDT) To: From: "Mark D. Baushke" Date: Fri, 19 May 2017 04:51:47 -0700 Message-ID: <71169.1495194707@eng-mail01.juniper.net> Sender: MIME-Version: 1.0 Content-Type: text/plain X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report: CIP:66.129.239.12; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(39450400003)(39410400002)(39400400002)(39840400002)(39850400002)(39860400002)(2980300002)(9170700003)(48376002)(50986999)(110136004)(356003)(6916009)(5003940100001)(6266002)(50466002)(230783001)(53936002)(117636001)(76506005)(53416004)(55016002)(6306002)(7846003)(966005)(8936002)(77096006)(54356999)(2351001)(106466001)(105596002)(6392003)(38730400002)(2906002)(8676002)(86362001)(2810700001)(478600001)(5660300001)(81166006)(189998001)(305945005)(7696004)(7126002)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR05MB1974; H:p-emfe01a-sac.jnpr.net; FPR:; SPF:SoftFail; MLV:sfv; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; CO1NAM05FT015; 1:SDnijDNactcmcFIjnoH+V0oaNGhWafrD1n7QU72caPWQfMqPH9vXtDPoFN2MtigK/n6pISbc64Ov89uAuZK7NegLzaEgkvh1ZOAHyMoR1IXe8UPnXy333wVQWyEbTsXs5wA60xt3Zt+Z+lPytH1ieQjqFZcrPltQdnz3uljSp58YpzqUmBkZ58FPTWP2AK+Ds/+3RUQSL3wnOUzRpYMX0l50ZKeSca4/knlqgUaPev0I4jKH81g+hX6n0eISHNrv8pTWMdzrYM+QMdxLJWJx6vcLJvmcDQU6dwe7Z/NgezPmxbIFq7S0dL9f7WEH+jOCFtNwKKdXyJNguoCCqwpdwlo9H8kpxijstvsvaMbwtf94ocOvvnuD4SaFErzRRybIIQFpAhf/KLDep8Qz1FLlBzIew57N8Xx5CDRkI/WZ2yqv3Lezu9yOOCjzDQktU8Qa5FtM0U8rjSgbl0uLf0VDgOw4jdWY+71mQVgLIhtb7m67oM/acYEYiFcfzusWWb2aZqZSb+iEYItH3wjlYBo0O1zXTRhWJPut9nrofrL4TeRUZDiv6msIo+IRnjEGONCQ63r9MGzEHcRKHTYTlcM0Fa9FZDM/5FGF3OVjxxJJ/Z8= X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BY2PR05MB1974: X-MS-Office365-Filtering-Correlation-Id: 78f7c0f2-92fa-44da-5f40-08d49ead6f60 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(201703131423075)(201703031133081); SRVR:BY2PR05MB1974; X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB1974; 3:wvM7BGbl9qA0ZccnX8tCLO37ROwvOUMtSovOZ7c7C6XDbQaronfcr0kcbbVdfiEeWGofTWLzE9ZYeie0CFe3IM5H2G//RTqQgrpJSUHfLLOJejWH2BkWX5lZhGSivWMsWGN2CKIo9XLXlVhRQEcd5mDk8Er11hZCOLC9GhyX8umjKzDYFAEXqLQc7qz7IQrRlroBbG+xrxLLdVGkVJgHNRrgpmmhXfWzX0Sa5HNGM9O+tXnk/9sPanB3oCmwtMN01xJ8HTg9VpMtkVBVo3CpygH0VNo66IdV9Xrsaq6rjjP2aVbgUNGp2RMx3GHbNZe8lVSnBe9OMmEDU67Twq9pkETO6xcqWYy/kj04IiPkTUVXOMH2+PgyGkrCgVJDRbq7jPVFUSWsptCIvag3vFWoKuuio1sQow7Vd+Re0qZ3f1085h3Fg88jRz10c4s+7kHwHRPvuM1XiuqC0hRIDYu+og== X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB1974; 25:kcfTNk8jEJiPJGgFtfaYmnm0fZV1cNPjipzSP8MC23QQUim7UffzHyiAH08CFM76/xxXOGQsEVjC7Hn/ZnFgaLXzhYanRVjIAi9LiiheqkRhAypXFPG4CF5RxTcrdj6wmMNmtSFdUmVbCUOgoorkfRVI3E1k6Kh31hDgCtv6p/+0a/GPctNt54yLaZBhBou1PikGAp7ARH0YpmdXt8EHmFrcescZ0FHs5gydQDtgDPfDkLVmnY0XyxatlQMdrcCZaMY59HgKwyRpAE6DjIZ9K7dy4zha4/caPeMjuPE17q9DP2LijXuuxx2lYaDjrcghhqSI23rGE9PkfNx03jL7MLF6Y7UKobynW9Hn86IpT4fbeEDnibyOesTNWCYTlXMG1/BzvcCZTiZkH/wTcp/GP+du5cBVJDwRoRd7B5u7ieY9Yz7ttSPfFgDIPctaTTld0fmhPwUOOqualA48AcNGpJEHoICELp352zh1kgpwW2I=; 31:29PWaEFkHf1JZeATd6a98vCchow7vCn/Zxki/s1PutoYTQ29sVCVjoxcSBeWTm58+6l3sHLfGsL1IHu9u+P4yFUjJnrOElb3Oz58Folp6BIELV16aecr+Ogxl8xGjE+VD3/khMN7VYjY7O3s5WoYLzLKtl6BThWIbVp0ae10eeIrvlMS3FSB4Iiihrz+OOggqi75gsSDKOjTHwWRTgkSui3w8kPaMP2BMmo5A9idbuoIzXYwQHDcgfPXsgghMrmlKhDBCt0kyNGraIN0NYpGcQ== X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB1974; 20:657YzeHd+j3PheYwwWNk0w6EbOyEOffD8QJ/43MubBuGRLVRtPOYkShSRhcvck0UYaovC8cipU/FV8IA4Xkpi44KUxh10jBSpnvEva0KdXPJh0uqA1t/kA4cj0jMPPddHCTLG43WixZNCdV1Ai2b6cjoTGvzcWGOh3WOMhp0vvMU5UToVV77lpV7tSq5kxT/vrWxNJe+VCzExbKjBZbxHcVWwnM6ghEfV55P+c46fBLXWpAuYmZLKSsVo0W+tMeBMBN20kCQZwFf1BlKrslxBRa2GUv8uTcA1foW8khyeeerSHo0XLfJ/HDs0uJInZVVu7jzY2/vJMDVLk79NZ0Yno4RmtfnOA3E7uIpAtULljPE/t/Gbb3nmN1/t/2WyNAuZl5vcvq4LQSBBRp6JUgSYefr8WUAWjTmCmo78AR94VxbQXOJwKOX1R58N6vQ3U6lJOdY3ivF6YoVvCs6z7w4kV5tSC/4iY49UOq0+kfXeweksyCxQ9u+PK/z7KEMnTr3 X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(76576733993138)(165104125076784)(120809045254105)(177329092695168); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040450)(601004)(2401047)(5005006)(13017025)(13015025)(13024025)(13023025)(8121501046)(13018025)(3002001)(93006095)(93003095)(10201501046)(6055026)(6041248)(20161123558100)(20161123562025)(20161123555025)(20161123564025)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148); SRVR:BY2PR05MB1974; BCL:0; PCL:0; RULEID:; SRVR:BY2PR05MB1974; X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; BY2PR05MB1974; 4:jPxHYhUr5balxX+Cijwkapyhfjz1oQmE1Q0wB4Rbeh?= =?us-ascii?Q?p/KCkvNh94wiU8v8ExZY9qX9OxrqbgjYBeupqS810H7bSqjGomFmxO7f/ihr?= =?us-ascii?Q?xOvV6BJZ4cHr1FkPhPqjeuFTDabUxqL4huiWIbGzFRQMqdTHGi7ESY4eufHs?= =?us-ascii?Q?g4Es37+CcVf0ObhKMyJCW35mo0cct56+XxgqwjVfkdT+7MxuYSMZGcuGqB7s?= =?us-ascii?Q?U4hyHudDs5upFW9MHtMOUHjBEF7uggt8koqBSPObpnDD1T4MagJstezks0Yv?= =?us-ascii?Q?WUclINnjebIpo5i2vhF68mqGRtbl6aYrSFZMWuqYdEmXlFy7qTgPKW/EITMr?= =?us-ascii?Q?V4yHx6icHo4Me9zw6SLB7ATVx6V+PVqXUHHmD3/VlugIWMVKAYBNwxLWbbet?= =?us-ascii?Q?VkVZTzzyzwGq5Lb0l4UCKZjpsnBPLU93vjgwioP64nJYtlxFzdtUWk01G1T3?= =?us-ascii?Q?KOru/JlwLPRZoGZap+UAdBjOYrYytMozbM5dHmPvE7BLzhdP3lAZdMbu5kpe?= =?us-ascii?Q?36484wVnSCny2LZPM3FU+XbVnFycYfdy7BknwMyboBNCe70wJcu5Yy1bCC8A?= =?us-ascii?Q?rS3vXO/th4PGviAe5+xOWyMb++i2bNKFmNUq5slA6Hm00kD6T2lPTNgWZRBt?= =?us-ascii?Q?IURZ2pXaHpd2mA2oadrsC3SVPyuriwEJzr/EbNbF8VyZaB+x729QnVJwJxcX?= =?us-ascii?Q?NpkfZ9/j0N3y5JodxuKKMUB6JmGvLQZ9lQxepcdKMJMy11GNV9vUTfcHKCKU?= =?us-ascii?Q?dCqpLKp/76FjWZNmLAHRdWkZONPrcHd9Ex1pe4LZGKT0o2LztCA51U4ERSLD?= =?us-ascii?Q?fqncJDKQNFd7OnFQF4PCA2bbh7SmM/5PpzJ3Ccz+QmsGfESZMRSv9It+lB5G?= =?us-ascii?Q?bTh6IFf0CUtowB1xrfXMkMWYX33ywcPzELbv2clxB7FY9pQukG/Bq7I4hsOy?= =?us-ascii?Q?NxVkyep5IN3dFjZfGx8AloVJnbfiFrnTo+AGnAeKyQYVt/BwKKiJhtshfQaL?= =?us-ascii?Q?hAQEO+Y3Riij3zKqgmZzBMHoMWMtlyT5GinLW1pTSTfCpD5U+9vIR6OQVYqt?= =?us-ascii?Q?ggwJI=3D?= X-Forefront-PRVS: 031257FE13 X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; BY2PR05MB1974; 23:Ys9AqzywB415x5Ukv2eBVbJ7AzA9bpcxH38pj4TdT?= =?us-ascii?Q?1w1n4J1RiIAk6zb8a+zQokCGuO8gBiHXaHSqQCqUocThnLhVLUTLZ0G/5y9P?= =?us-ascii?Q?pg1TdHQTyjaqUKIdjScE0LCo2Gr1NEJleZBHDeWmV/vqdNOXWqqtFFRECVmc?= =?us-ascii?Q?fmb1ITQAKdAHv+nVSKwKeh5tkGsi1hYXc+rkLQBnlk2/PazeyyL6u3UKrFAV?= =?us-ascii?Q?clTdEHsbrO/2Bg1kOE4jngcLlukpM0Crigwkfk0G976pGwGO4AAIiyzNMBjv?= =?us-ascii?Q?RAcZ7rQdqt+XHTd4U+H6ghwTZwJB0alK7wroLw+ZCRe3vUSTYjZsbW/9iyT8?= =?us-ascii?Q?wFQ6ygprWZ2W3LUyft2JYlspe2ZKRZ7GHOYEC9trwI5P/pKpPJ+a2dpllii/?= =?us-ascii?Q?YnQiRcH+bF63C26pQy6jh2arJbhnSgVU4fzbfyoPUZa851zAyynUJWxDe60Z?= =?us-ascii?Q?Oi/M76KKlBfCizrs5t/dLoWl9BSrrrw1oSuTpP/5K3+7s+e6dWtLBbG726SQ?= =?us-ascii?Q?BIQpuxgVnf+yllwUWQJnNt2eqFhFR7XD+o9DzzCTzAUlPo2hmuYR2R+sVYCV?= =?us-ascii?Q?FzbDhWzpt7seuEWqXqNvt2pdLiChqumfZRe8+PzX0R8aCqSJJpfd4ztY4vUS?= =?us-ascii?Q?90FhYQmGHuBX/Q6ABg2L2IyszosJfLpiUDB4b3HemvTs/jDMX+3aU8VqjUVP?= =?us-ascii?Q?DUyn3fwDoeWEgBjOHg9M4u5PrUBpwcCnRP/b3MoRRkcAvbeWSeqA1OkI94y5?= =?us-ascii?Q?nyrDKaQ4JZ38UUKLywXN1Czpn+Cyam0ZOjnjwN9GUTmK3AkQO1UnAQyqnZEV?= =?us-ascii?Q?xb2RdHo2Q0cZWYVsjXFrU/Whz7Lopjp71o38Ppoo3RTJeIibzTTjtNil9NqH?= =?us-ascii?Q?bA9GBjEOiiGT+4NL0R4J+kflZhy/Ibot/frmelRckoupGGd6Qlqgan0YYVYv?= =?us-ascii?Q?TZbH84fR8lPcCYCvjjxF8jB/fIVLKjv4Ov2CBBeA3XWn0IZuACqE0HZIALHj?= =?us-ascii?Q?9BaUkRUfRdY7fRUnBOe1Jtt1wz4xPFHAyktqwGyxfmr5XbhsY4PyFHL5eOCA?= =?us-ascii?Q?P/DLAjmXILvYCvM6zIyI2k34o6YlTt8rYq3Fg70fnb7NUJGm0TE15m8yKOcO?= =?us-ascii?Q?ExIoPzUOHn+wATYJrtJPULwDhz6idgSZZceBb02EcJbLo0TVL66Tw=3D=3D?= X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB1974; 6:ejA0tbss6T+bM9UUiEh0C2xHo2Ic4EfzpoiBeozHCz6dv+pz6HJs+cMJ9yH26EA7CWcGdEGDehIj2xHkucFwdhi5FSEd0pLJdiKyBMPGjYZCfGdg2H3PqKEC/bl+5KKH7X1ylB6L47lFQkN/KeTYhPd0IcOYbHVj6H3AGnMz/7FhKXILyye7EQrhVo0POr7kJiC6eID8ZFC8SXI4MPNry76ful4qJ9kI3ukXLrlTPnRZ743cC5jb0+STOD1i0OKkBk5YUnlxm4PNhSaX0VT8vbeP8znajfzkXWTVkp6Z93ehxzVZrx1ty160Q6gl4IfSIWt4VsSL/SYNSjdYXs7Qp/yIrR/o89Lwd3LCVolxs4sAIFvE3nT2L1tIqFSvWN/ONyNeA8bI9qTMMnncwBgyOXPvcup3N5q9o/aYIWVTmLv8ZwW6Lw5wu/msDVH6/MMgvQqpfqxVA3BUl387CW4Y0cQJYSPUjxWE/+QNuC3mcbTKEpm9j22GTBhDkENLwLucEt3o17u7Y6ef272BkpraUIAQRgmbaAuWVsp1b4lPip8=; 5:SElj5sAUqbO7OxFl50wuv1EE/pTuXmJ/wu003+vanXzagWhW+Fi8g0bjCkA+KciTIWPKDc0JQK9UpLkzl0XeWNkFGeSKrWNz+FJKb9+SQ3QY+YLIMUt1/xRZETx7s2cTNOShoAJu9Q65Ayolt5B7bg==; 24:tewG0/Dj/jmG4zX8Mrkuvv55+8eAdhFuIS1yLIY/TQWa5JhLrXNc62sv6RJhKql812lc4dqo/qCWBa8ypKdMvamtiwzklZRUY7karMcAeDY= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB1974; 7:Y7cvgXUTQKqtCXPELPoSRpJX81+aDXDmNuH1lreD8bf4QITV7UeMKZUYMymHPIlzblg6o9xGjJ64SpK12szCCtdwy5B2/z6QRDDUMBnNPAc78N1BSmIEfRGw43NL0/WfT83WBcrNrTnAZrncyzqgHAzrK40A4yyC05mATiDPc+k4fVX5rjglVMw5edfNU3obD+nWKPnHiQ/0SKzN0O1b/i6KLjD/wBkKHc8kLvnWceG/eDSqHEZpjm1Q3UPu5FLATnurQRPbAC6Oh4JXtTeYCfsf18eD3ihjBRAer4wgMMbNZiQXW+2sS9oSUgqP65xoNY1EAto+zXZAZw19hGvFDw== X-OriginatorOrg: juniper.net X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 May 2017 11:51:49.8488 (UTC) X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.12]; Helo=[p-emfe01a-sac.jnpr.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR05MB1974 Archived-At: Subject: [Dcrup] draft-ietf-dcrup-dkim-crypto-00 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 11:58:31 -0000 Hi, I suggest that 2048 bit RSA be considered the minimum key size. Samller sizes are not really safe these days. In any update of RSA, you really need to determine if your RSA keys will be using RSASSA-PSS or PKCS#1 v1.5 padding and be careful in the signature verification methods being used as well as specifying the use of the SHA2 hash to be used if the key size is greater than RSA 3072 which is the largest that should probably use SHA2-256. RSA key sizes in excess of 3072-bit keys may want to consider SHA2-384 or SHA2-512 hashes. I note that you are suggesting signing using ECDH and wonder if you intended to specify ECDSA or EdDSA as a way to digitally sign using Elliptic Curve methods as generally ECDH is used for key agreement protocols. In section 5, you ask [[ is there any reason to allow or require RSA keys longer than 2048 ? ]] I do not believe that this is required today. However, it will probably be true in a short number of years. The IETF CURDLE (CURves, Deprecating and a Little more Encryption) WG has a few drafts you may wish to read such as draft-ietf-curdle-cms-eddsa-signatures For this draft and others, you may visit: https://datatracker.ietf.org/wg/curdle/documents/ An informative reference for your consideration: The National Institute of Standards and Technology (NIST) Special Publication 800-131A [800-131A] disallows the use of RSA and DSA keys shorter than 2048 bits for US government use after 2013. http://dx.doi.org/10.6028/NIST.SP.800-131Ar1 Another informative reference: Fault-Based Attack of RSA Authentication Andrea Pellegrini, Valeria Bertacco and Todd Austin http://web.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf I hope you find the above information useful. Enjoy! -- Mark From nobody Fri May 19 05:55:34 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8928412EB77 for ; Fri, 19 May 2017 05:55:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.698 X-Spam-Level: X-Spam-Status: No, score=0.698 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kitterman.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zee2E_QwIpXf for ; Fri, 19 May 2017 05:55:32 -0700 (PDT) Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65DC412ECA6 for ; Fri, 19 May 2017 05:49:27 -0700 (PDT) Received: from android-df929938bd25e485.home.kitterman.com (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 2BC7BC4034A; Fri, 19 May 2017 07:49:25 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=201409; t=1495198165; bh=b968yD9N4ak3jmRv4032Auf8J2ONMLF5m2Vs+sDqNQQ=; h=Date:In-Reply-To:References:Subject:To:From:From; b=Gk5b7RAjNZWWgqiZGjTYsAxicpKJ8CtMIqpd0T+XcklYuxo3TCTjOvIw67qSlqP17 fj0Rwo/7yLj+29GRXaMzseikSpvmkuXZRNQPZ0iqyuPgRembogQVrWGDuyGXZF13bB VrbPzuaHTlNH3MZYT6yGWYqsNkJdLrgHiom08HSE= Date: Fri, 19 May 2017 12:49:23 +0000 In-Reply-To: <71169.1495194707@eng-mail01.juniper.net> References: <71169.1495194707@eng-mail01.juniper.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable To: dcrup@ietf.org From: Scott Kitterman Message-ID: Archived-At: Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 12:55:34 -0000 On May 19, 2017 7:51:47 AM EDT, "Mark D=2E Baushke" wr= ote: >Hi, > >I suggest that 2048 bit RSA be considered the minimum key size=2E >Smaller sizes are not really safe these days=2E 2048 bit keys present operational problems in common DNS provisioning syst= ems=2E What advice should we offer those not currently able to publish a T= XT record long enough for 2048? I don't think the answer is don't bother with DKIM because it's pointless = with a key < 2048=2E Given the ephemeral nature of a DKIM signature's valu= e, there's probably a combination of shorter keys and key rotation that's p= erfectly fine=2E Scott K From nobody Fri May 19 06:48:43 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9C6B124D85 for ; Fri, 19 May 2017 06:48:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GvI5t2anEwnE for ; Fri, 19 May 2017 06:48:40 -0700 (PDT) Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D37F0124217 for ; Fri, 19 May 2017 06:48:40 -0700 (PDT) Received: from pps.filterd (m0050095.ppops.net [127.0.0.1]) by m0050095.ppops.net-00190b01. (8.16.0.21/8.16.0.21) with SMTP id v4JDgNqi021107; Fri, 19 May 2017 14:48:39 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=jan2016.eng; bh=UW8kIIffebfR+fwIBvt0YV2IgO7oPh+tqU8zcJNv3cs=; b=ZRPk00rWYlbJKMqAnUZ6h4PjoroxvYqGRCwNJ71wHTgxOkPfg1H01qigP6RTeYUbaDo7 4ybPfNYTA9vR05rFtuGze6o74sIwNiJgnoo9QViQo0/NHGJlR5/BeHku34rbiVamF4Up ailcJGRkBZQ4LNO/wtTmhoa3f6rNynvFAsS1JPfsFq8C+4V1TmkcE4nWETa8gElSfgAo a3s+/p/8PRIRn1qUsPlHvEUN5l1nmVfp4aymYNnjerxKDUr9Lwj/iFCTxRJptXrKW2Xx HLtlzXfI7+YXfXw5P7iYvJIsWggS8s7NrLaUgtt1Mr6bT+W7ldKgNXOpdPsWrGQSLmkM 7w== Received: from prod-mail-ppoint1 (a184-51-33-18.deploy.static.akamaitechnologies.com [184.51.33.18] (may be forged)) by m0050095.ppops.net-00190b01. with ESMTP id 2ahdvfqxf0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 19 May 2017 14:48:38 +0100 Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.0.17/8.16.0.17) with SMTP id v4JDfGpw031219; Fri, 19 May 2017 09:48:37 -0400 Received: from email.msg.corp.akamai.com ([172.27.123.31]) by prod-mail-ppoint1.akamai.com with ESMTP id 2adwfug8pg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 19 May 2017 09:48:37 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb1.msg.corp.akamai.com (172.27.123.101) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 19 May 2017 09:48:37 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1263.000; Fri, 19 May 2017 09:48:37 -0400 From: "Salz, Rich" To: Scott Kitterman , "dcrup@ietf.org" Thread-Topic: [Dcrup] draft-ietf-dcrup-dkim-crypto-00 Thread-Index: AQHS0JZPa6MFSHAU0E2PcZUdKc0X+qH73o+A///NVMA= Date: Fri, 19 May 2017 13:48:36 +0000 Message-ID: <85f7bdf177024c2b98fcd5ef136141bf@usma1ex-dag1mb1.msg.corp.akamai.com> References: <71169.1495194707@eng-mail01.juniper.net> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.40.249] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-05-19_08:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705190087 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-05-19_08:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705190087 Archived-At: Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 13:48:42 -0000 > 2048 bit keys present operational problems in common DNS provisioning > systems. What advice should we offer those not currently able to publish= a > TXT record long enough for 2048? Move to ECC which has much shorter keys with equivalent strength? From nobody Fri May 19 07:24:58 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F74C127419 for ; Fri, 19 May 2017 07:24:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.698 X-Spam-Level: X-Spam-Status: No, score=0.698 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kitterman.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5v3XED3wnNKd for ; Fri, 19 May 2017 07:24:54 -0700 (PDT) Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [IPv6:2607:f0d0:3001:aa::2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA45B1270B4 for ; Fri, 19 May 2017 07:24:54 -0700 (PDT) Received: from [10.251.120.224] (mobile-166-170-32-163.mycingular.net [166.170.32.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id B05BEC4034A; Fri, 19 May 2017 09:24:51 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=201409; t=1495203891; bh=0Z+9l/yYgr5rbNvl4BSC0yO/B28GBIQqObF0kiZv/4c=; h=Date:In-Reply-To:References:Subject:To:From:From; b=LzmhzUssoJ06fdBd/p0NIMT/+Mo3jDfg4pqA3AF+dpMKhjhP8pi/zZhZaagwZkghO KJ1+vAh+k/yYyTCrLsBN0Q/IkTYy1IhQeYm8vkb9ea4OlnD6z/qd/5UqCH8aG8Utif J2Z7DQYB9OE/dBovvxV6MyY0XAgyGwjx/2YiWP/k= Date: Fri, 19 May 2017 14:24:38 +0000 In-Reply-To: <85f7bdf177024c2b98fcd5ef136141bf@usma1ex-dag1mb1.msg.corp.akamai.com> References: <71169.1495194707@eng-mail01.juniper.net> <85f7bdf177024c2b98fcd5ef136141bf@usma1ex-dag1mb1.msg.corp.akamai.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable To: dcrup@ietf.org From: Scott Kitterman Message-ID: Archived-At: Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 14:24:56 -0000 On May 19, 2017 9:48:36 AM EDT, "Salz, Rich" wrote: >> 2048 bit keys present operational problems in common DNS provisioning >> systems=2E What advice should we offer those not currently able to >publish a >> TXT record long enough for 2048? > >Move to ECC which has much shorter keys with equivalent strength? Eventually, sure, but sha-1 and sha-256 are what DKIM libraries support to= day=2E The WG does need to answer questions about the future when new soft= ware can be developed and deployed, but IMO improved guidance for today's s= ystems is much more urgent=2E Keep in mind the current minimum is 512=2E If we could spit out a document that says nothing more than: MUST NOT sign/verify sha-1 MUST sign/verify sha-256 Key size MUST be 1024 and SHOULD be 2048 it would be an easy, quick win while we work on consensus about the next a= lgorithm that should be added=2E I volunteer to draft it if there's interest=2E Scott K From nobody Fri May 19 07:31:15 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69D3612783A for ; Fri, 19 May 2017 07:31:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.579 X-Spam-Level: * X-Spam-Status: No, score=1.579 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4cKX9ZW1UDOS for ; Fri, 19 May 2017 07:31:12 -0700 (PDT) Received: from miucha.iecc.com (w6.iecc.com [IPv6:2001:470:1f07:1126::4945:4343]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 776211277BB for ; Fri, 19 May 2017 07:31:12 -0700 (PDT) Received: (qmail 69439 invoked from network); 19 May 2017 14:31:11 -0000 Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 19 May 2017 14:31:11 -0000 Date: 19 May 2017 14:30:49 -0000 Message-ID: <20170519143049.4908.qmail@ary.lan> From: "John Levine" To: dcrup@ietf.org Cc: sklist@kitterman.com In-Reply-To: Organization: X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 14:31:13 -0000 In article you write: > > >On May 19, 2017 7:51:47 AM EDT, "Mark D. Baushke" wrote: >>Hi, >> >>I suggest that 2048 bit RSA be considered the minimum key size. >>Smaller sizes are not really safe these days. > >2048 bit keys present operational problems in common DNS provisioning systems. What advice >should we offer those not currently able to publish a TXT record long enough for 2048? Perhaps to read section 4 of the draft? R's, John From nobody Fri May 19 07:42:59 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F3D3128B51 for ; Fri, 19 May 2017 07:42:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.103 X-Spam-Level: X-Spam-Status: No, score=-0.103 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kitterman.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sbz0WoNk3OnY for ; Fri, 19 May 2017 07:42:57 -0700 (PDT) Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [IPv6:2607:f0d0:3001:aa::2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B117128959 for ; Fri, 19 May 2017 07:42:57 -0700 (PDT) Received: from [10.251.120.224] (mobile-166-170-32-163.mycingular.net [166.170.32.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id F1839C4034A; Fri, 19 May 2017 09:42:55 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=201409; t=1495204976; bh=47AIBrOrQlIehyk1tm4OvcPxytxu7BzzvoHdD8XDFyE=; h=Date:In-Reply-To:References:Subject:To:From:From; b=f2WPFJSbxqGWijB9L8yPl55kswMcc5rXZUKK/XlPGU6IVfg32+384jOORpUKWMC4+ ryHUFtqcFJfPWTVsiZi1zRklY4yDnnoaA7enLA7zrQ6a41Fr69OLTcye128xfVchXO 7DoMCapQMgoMVX04ciZvagkD1Y3ayJ5Gdf6/V+Lg= Date: Fri, 19 May 2017 14:41:51 +0000 In-Reply-To: <20170519143049.4908.qmail@ary.lan> References: <20170519143049.4908.qmail@ary.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable To: dcrup@ietf.org From: Scott Kitterman Message-ID: Archived-At: Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 14:42:58 -0000 On May 19, 2017 10:30:49 AM EDT, John Levine wrote: >In article you >write: >> >> >>On May 19, 2017 7:51:47 AM EDT, "Mark D=2E Baushke" >wrote: >>>Hi, >>> >>>I suggest that 2048 bit RSA be considered the minimum key size=2E >>>Smaller sizes are not really safe these days=2E >> >>2048 bit keys present operational problems in common DNS provisioning >systems=2E What advice >>should we offer those not currently able to publish a TXT record long >enough for 2048? > >Perhaps to read section 4 of the draft? What currently available DKIM software supports that approach? I don't th= ink any, so I believe that the question of what operators should do until n= ew software can be developed and deployed is still open=2E Until new signing key management/publishing or crypto achieve similar succ= essful verification rates to what's currently fielded, they aren't suitable= replacements=2E For anything that requires code changes on the part of verifiers, it's goi= ng to take years before enough support new functionality that the d can be = dropped=2E What do people do in the meantime? Scott K From nobody Fri May 19 07:43:20 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7265A128B51 for ; Fri, 19 May 2017 07:43:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.579 X-Spam-Level: * X-Spam-Status: No, score=1.579 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wuhKqJ2P3iMz for ; Fri, 19 May 2017 07:43:06 -0700 (PDT) Received: from miucha.iecc.com (www.iecc.com [IPv6:2001:470:1f07:1126::4945:4343]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8E48128B91 for ; Fri, 19 May 2017 07:43:06 -0700 (PDT) Received: (qmail 71041 invoked from network); 19 May 2017 14:43:05 -0000 Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 19 May 2017 14:43:05 -0000 Date: 19 May 2017 14:42:43 -0000 Message-ID: <20170519144243.4945.qmail@ary.lan> From: "John Levine" To: dcrup@ietf.org Cc: mdb@juniper.net In-Reply-To: <71169.1495194707@eng-mail01.juniper.net> Organization: X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 14:43:07 -0000 In article <71169.1495194707@eng-mail01.juniper.net> you write: >Hi, > >I suggest that 2048 bit RSA be considered the minimum key size. >Samller sizes are not really safe these days. I'm surprised to hear this. Remember that DKIM signatures are relatively low value and not intended to be archival. They're typically verified within a day of being signed, and the design encourages key rotation (although I admit that in practice most people don't rotate very often.) How much effort does it take to crack a 1k signature? >In any update of RSA, you really need to determine if your RSA keys will >be using RSASSA-PSS or PKCS#1 v1.5 padding and be careful in the >signature verification methods being used as well as specifying the use >of the SHA2 hash to be used if the key size is greater than RSA 3072 >which is the largest that should probably use SHA2-256. RSA key sizes in >excess of 3072-bit keys may want to consider SHA2-384 or SHA2-512 >hashes. I don't purport to be a crypto expert and haven't a clue. In practice people use whatever "openssl genrsa" provides. I'm not too worried about keys bigger than 3K since I expect that by the time 2K keys are too weak, people will migrate to a different algorithm. >I note that you are suggesting signing using ECDH and wonder if you >intended to specify ECDSA or EdDSA as a way to digitally sign using >Elliptic Curve methods as generally ECDH is used for key agreement >protocols. Beats me. What should we use to maximize interoperability and have lots of free libraries ready to use? R's, John From nobody Fri May 19 07:56:07 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6421C128C81 for ; Fri, 19 May 2017 07:56:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.698 X-Spam-Level: X-Spam-Status: No, score=0.698 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bluepopcorn.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AT48HP1X6HSU for ; Fri, 19 May 2017 07:56:05 -0700 (PDT) Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 082C5128B91 for ; Fri, 19 May 2017 07:56:04 -0700 (PDT) Received: from splunge.local (c-67-187-243-206.hsd1.ca.comcast.net [67.187.243.206]) (authenticated bits=0) by v2.bluepopcorn.net (8.14.4/8.14.4/Debian-8+deb8u1) with ESMTP id v4JEu2XJ004603 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Fri, 19 May 2017 07:56:04 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bluepopcorn.net; s=supersize; t=1495205764; bh=jy1UhUGXHy1rqZYEj91dINybEmy4LcFqYtQYDO/Yj58=; h=Subject:To:References:From:Date:In-Reply-To; b=sC6cvi2HbMSgl2Q3VGsp2SgPhosEWgWdUMSHUp7WLhxPSMhLy9inDxMvxT+lAyCSm A4KYNuolESd1WBLyszCeEXImeSxBXMd88RGpXW4sE+pRAsh+yUacwbZBAl3fjha7aV YWf8ZesAABeIR9Zyw+lSbiGwd0hWZC85N4lETNOo= To: dcrup@ietf.org References: <20170519144243.4945.qmail@ary.lan> From: Jim Fenton Message-ID: Date: Fri, 19 May 2017 07:55:59 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <20170519144243.4945.qmail@ary.lan> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 14:56:06 -0000 On 5/19/17 7:42 AM, John Levine wrote: > In article <71169.1495194707@eng-mail01.juniper.net> you write: >> Hi, >> >> I suggest that 2048 bit RSA be considered the minimum key size. >> Samller sizes are not really safe these days. > I'm surprised to hear this. Remember that DKIM signatures are > relatively low value and not intended to be archival. They're > typically verified within a day of being signed, and the design > encourages key rotation (although I admit that in practice most people > don't rotate very often.) Factoring a key gives the attacker the ability to sign messages, so how quickly the signature is verified and its not being intended to be archival is not relevant. Frequency of key rotation is the only thing that matters (along with the value of the signature). > > How much effort does it take to crack a 1k signature? =46rom 2012: https://www.wired.com/2012/10/dkim-vulnerability-widespread/= tl;dr: factored a 512-bit key on AWS in 72 hours for $75. But that was 5 years ago. I haven't extrapolated to current compute costs/speeds or the longer key. -Jim From nobody Fri May 19 08:07:06 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F6DA129412 for ; Fri, 19 May 2017 08:07:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.579 X-Spam-Level: * X-Spam-Status: No, score=1.579 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UznsOeIp3XVp for ; Fri, 19 May 2017 08:07:02 -0700 (PDT) Received: from miucha.iecc.com (w6.iecc.com [IPv6:2001:470:1f07:1126::4945:4343]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 415EC129411 for ; Fri, 19 May 2017 08:07:02 -0700 (PDT) Received: (qmail 73953 invoked from network); 19 May 2017 15:07:01 -0000 Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 19 May 2017 15:07:01 -0000 Date: 19 May 2017 15:06:39 -0000 Message-ID: <20170519150639.5129.qmail@ary.lan> From: "John Levine" To: dcrup@ietf.org Cc: sklist@kitterman.com In-Reply-To: Organization: X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 15:07:04 -0000 In article you write: >>Perhaps to read section 4 of the draft? > >What currently available DKIM software supports that approach? I don't think any, so I believe that the question of what operators should do until new software can be developed and deployed is still open. None. In fact, I am reasonably sure that 1K keys are plenty strong for DKIM for the next few years. As I noted, DKIM keys and signatures are intended to be short lived. R's, John From nobody Fri May 19 08:13:36 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57A8F126C3D for ; Fri, 19 May 2017 08:13:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.579 X-Spam-Level: * X-Spam-Status: No, score=1.579 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rFd2739HW0dv for ; Fri, 19 May 2017 08:13:34 -0700 (PDT) Received: from miucha.iecc.com (w6.iecc.com [IPv6:2001:470:1f07:1126::4945:4343]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 658C6129412 for ; Fri, 19 May 2017 08:13:34 -0700 (PDT) Received: (qmail 75221 invoked from network); 19 May 2017 15:13:33 -0000 Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 19 May 2017 15:13:33 -0000 Date: 19 May 2017 15:13:11 -0000 Message-ID: <20170519151311.5173.qmail@ary.lan> From: "John Levine" To: dcrup@ietf.org Cc: fenton@bluepopcorn.net In-Reply-To: Organization: X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 15:13:35 -0000 In article you write: >tl;dr: factored a 512-bit key on AWS in 72 hours for $75. But that was 5 >years ago. I haven't extrapolated to current compute costs/speeds or the >longer key. Doesn't the factoring effort double with every added bit? That would suggest that 1K keys are still impractical to factor unless you have a great deal of money and a great deal of time. We knew 512 bit keys were too weak in 2006, but we had (perhaps misplaced) pity for people running beta libraries. R's, John From nobody Fri May 19 08:28:15 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D28B1129461 for ; Fri, 19 May 2017 08:28:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k_qGyJmu57lA for ; Fri, 19 May 2017 08:28:12 -0700 (PDT) Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9966212945E for ; Fri, 19 May 2017 08:28:12 -0700 (PDT) Received: from pps.filterd (m0050095.ppops.net [127.0.0.1]) by m0050095.ppops.net-00190b01. (8.16.0.21/8.16.0.21) with SMTP id v4JFRNcP009298; Fri, 19 May 2017 16:28:11 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=jan2016.eng; bh=zz8fmdTH87Sp8MzSF5tnJkMttitZrycd2Qib5bz/YiM=; b=TYdujDIEpQtYbLLFL8e6i1MVGRVkCkrsw3y2ZyT528I0H8B71CtB5nzPOYR/5ZQaqJTc Rie9Wj6RtDJSpRB2XT5SkNwz2zwpbfCrpnJBjpzYBpyagLjOLmHbgjjvo7Blu38XQ5Y6 h8GU3QoE7NJJL1dPL01rPBTbwISgJgCZQgJvVpngCWSkwkKvMqx7O7TrxUPJedwT1zDZ s3kk+cxInxRFj3pFO1OPA+FNvTs8g+Bo0s1XE5ZB01WmVjLb9MT1g4IEZmmWWspBKv2K uXkVnzn0cqDJqUZE/aGqwYbNVlPPTcWPdI8IlTX9gC5u4aDuTRJhbvOiXIlV4sYR5WMC 0Q== Received: from prod-mail-ppoint4 ([96.6.114.87]) by m0050095.ppops.net-00190b01. with ESMTP id 2ahdvfrj5q-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 19 May 2017 16:28:10 +0100 Received: from pps.filterd (prod-mail-ppoint4.akamai.com [127.0.0.1]) by prod-mail-ppoint4.akamai.com (8.16.0.17/8.16.0.17) with SMTP id v4JFPn0F008451; Fri, 19 May 2017 11:28:09 -0400 Received: from email.msg.corp.akamai.com ([172.27.123.31]) by prod-mail-ppoint4.akamai.com with ESMTP id 2adwfvt7pq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 19 May 2017 11:28:09 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb6.msg.corp.akamai.com (172.27.123.65) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 19 May 2017 08:28:07 -0700 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1263.000; Fri, 19 May 2017 11:28:07 -0400 From: "Salz, Rich" To: Scott Kitterman , "dcrup@ietf.org" Thread-Topic: [Dcrup] draft-ietf-dcrup-dkim-crypto-00 Thread-Index: AQHS0JZPa6MFSHAU0E2PcZUdKc0X+qH73o+AgAAcV4CAAAMVgP//yO4w Date: Fri, 19 May 2017 15:28:06 +0000 Message-ID: References: <20170519143049.4908.qmail@ary.lan> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.40.249] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-05-19_09:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705190096 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-05-19_09:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705190096 Archived-At: Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 15:28:14 -0000 > Until new signing key management/publishing or crypto achieve similar > successful verification rates to what's currently fielded, they aren't su= itable > replacements. ECC keys are already comparable. =20 > For anything that requires code changes on the part of verifiers, it's go= ing to > take years before enough support new functionality that the d can be > dropped. What do people do in the meantime? This WG is chartered to do a couple of things: document what should be don= e now, and giving advice. I think Scott should write up a draft and offer = it for adoption as it's clearly in-scope. I think the existing "new crypto= " should use new ECC based signatures and also, if necessary as a middle st= ep, approach how to do RSA 2K. Given DNS TXT contraints, I think it makes = sense to have RSA 2K be a separate document from "ECC for DKIM." Does this make sense to the WG members? From nobody Fri May 19 08:50:32 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4B7A1294B5 for ; Fri, 19 May 2017 08:50:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.579 X-Spam-Level: * X-Spam-Status: No, score=1.579 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t6eDe4aSPyzO for ; Fri, 19 May 2017 08:50:29 -0700 (PDT) Received: from miucha.iecc.com (www.iecc.com [IPv6:2001:470:1f07:1126::4945:4343]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99E32129484 for ; Fri, 19 May 2017 08:50:29 -0700 (PDT) Received: (qmail 80226 invoked from network); 19 May 2017 15:50:28 -0000 Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 19 May 2017 15:50:28 -0000 Date: 19 May 2017 15:50:06 -0000 Message-ID: <20170519155006.5267.qmail@ary.lan> From: "John Levine" To: dcrup@ietf.org Cc: rsalz@akamai.com In-Reply-To: Organization: X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 15:50:31 -0000 In article you write: >use new ECC based signatures and also, if necessary as a middle step, approach how to do RSA 2K. Given DNS TXT >contraints, I think it makes sense to have RSA 2K be a separate document from "ECC for DKIM." > >Does this make sense to the WG members? Given how short they both are, I'd like to keep them together for now. R's, John From nobody Fri May 19 10:02:34 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93908129526 for ; Fri, 19 May 2017 10:02:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.8 X-Spam-Level: X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EYQMrchJGAJ3 for ; Fri, 19 May 2017 10:02:32 -0700 (PDT) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AB3A12954E for ; Fri, 19 May 2017 10:02:31 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id E7C3230056B for ; Fri, 19 May 2017 13:02:30 -0400 (EDT) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id JWz4tFBf8McB for ; Fri, 19 May 2017 13:02:30 -0400 (EDT) Received: from [5.5.33.165] (vpn.snozzages.com [204.42.252.17]) by mail.smeinc.net (Postfix) with ESMTPSA id 040773004CE for ; Fri, 19 May 2017 13:02:29 -0400 (EDT) From: Russ Housley Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Date: Fri, 19 May 2017 13:02:27 -0400 References: <20170519144243.4945.qmail@ary.lan> To: dcrup@ietf.org In-Reply-To: <20170519144243.4945.qmail@ary.lan> Message-Id: <360CB42F-6B1A-4A6F-95D2-EFF36C449EBB@vigilsec.com> X-Mailer: Apple Mail (2.3273) Archived-At: Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 17:02:33 -0000 >> I suggest that 2048 bit RSA be considered the minimum key size. >> Samller sizes are not really safe these days. > I'm surprised to hear this. Remember that DKIM signatures are > relatively low value and not intended to be archival. They're > typically verified within a day of being signed, and the design > encourages key rotation (although I admit that in practice most people > don't rotate very often.) >=20 > How much effort does it take to crack a 1k signature? NIST has told everyone to move away from SHA-1 for for all uses except = HMAC-SHA-1. NIST has told everyone to move toward RSA with 2048 bit keys, even for = entity authentication applications like DKIM. If RSA keys of that size are a problem, then it it time to start the = transition to Elliptic Curve. We know it will not happen the day the = RFC gets published. Russ From nobody Fri May 19 10:18:24 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD1E9129564 for ; Fri, 19 May 2017 10:18:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.698 X-Spam-Level: X-Spam-Status: No, score=0.698 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kitterman.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mIixVVGfBsaw for ; Fri, 19 May 2017 10:18:21 -0700 (PDT) Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79ABB128DF3 for ; Fri, 19 May 2017 10:18:21 -0700 (PDT) Received: from kitterma-e6430.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 8BEC1C4010C for ; Fri, 19 May 2017 12:18:18 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=201409; t=1495214298; bh=xsSqb38rAjIQ//WT1dt6YzmxZBbEZpEMeDdjbrqZrI0=; h=From:To:Subject:Date:In-Reply-To:References:From; b=cJOG8ktRk12dzaXf7y8oW5yJk9Exe1+3tMjFd1PlYAODtraWCUIGbAx4SVSCVdW17 QyuarXmxKbGPrgBoXFUFzrjUb6aO9pk1xj3p49GXR8hV4eykVoRKY5uEmhJzTlQC9O rgyGhczYbMPEpuE2ZwfIhNe+Ru9Fb8U8BEDAorZU= From: Scott Kitterman To: dcrup@ietf.org Date: Fri, 19 May 2017 13:18:17 -0400 Message-ID: <4250639.jMYMH1ii8S@kitterma-e6430> User-Agent: KMail/4.13.3 (Linux/3.13.0-119-generic; KDE/4.13.3; x86_64; ; ) In-Reply-To: References: <20170519143049.4908.qmail@ary.lan> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Archived-At: Subject: [Dcrup] New algorithm availability was: Re: draft-ietf-dcrup-dkim-crypto-00 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 17:18:23 -0000 On Friday, May 19, 2017 03:28:06 PM Salz, Rich wrote: > > Until new signing key management/publishing or crypto achieve similar > > successful verification rates to what's currently fielded, they aren't > > suitable replacements. > > ECC keys are already comparable. ... Generally, yes, but DKIM verifiers don't support it currently, so for this purpose, not yet. Scott K From nobody Fri May 19 10:20:51 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE09C129564 for ; Fri, 19 May 2017 10:20:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EPhfDPEt18JR for ; Fri, 19 May 2017 10:20:48 -0700 (PDT) Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DBF0128DF3 for ; Fri, 19 May 2017 10:20:48 -0700 (PDT) Received: from pps.filterd (m0050102.ppops.net [127.0.0.1]) by m0050102.ppops.net-00190b01. (8.16.0.21/8.16.0.21) with SMTP id v4JH7RcU026114; Fri, 19 May 2017 18:20:46 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=jan2016.eng; bh=fW2vFl0AWQUL8afMFXhS5Nc+bbhzOsKN4A+hA78GLMQ=; b=hAqlrAN+VSDU6grUnBL51B2UH/pdhBnv+dA8K2SYakt7j5fBZSA5N3e2Da6+yzEUA6hl jzEVJHMkwWOLcYCxZUGVb5e6dOQQDWZ6P6uNVQOgdiEkUQi8438DRTnbnpikWC9pSLG2 Be/oT3EGxzX7LT9ZxKSxQB84JMlHAQlxgnM+4xUp3cVIQGWQkiJOaoGuJelOh3s/mWBA ok6B0JCwJPcSJQbVrVC4II7XEPnilaVEbRKFuAg1EXGz7J7kLSWPh2aA++oZKyCL3oOS 8UCGF7hCRwl/a0m6K1qcxXL6N7DQmkDeW14QmGLO+WAMBlf4Vq8gTKlWesaTP0yfvyH9 aQ== Received: from prod-mail-ppoint4 ([96.6.114.87]) by m0050102.ppops.net-00190b01. with ESMTP id 2ahjqq5q5n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 19 May 2017 18:20:46 +0100 Received: from pps.filterd (prod-mail-ppoint4.akamai.com [127.0.0.1]) by prod-mail-ppoint4.akamai.com (8.16.0.17/8.16.0.17) with SMTP id v4JHBKxH004609; Fri, 19 May 2017 13:20:45 -0400 Received: from email.msg.corp.akamai.com ([172.27.123.32]) by prod-mail-ppoint4.akamai.com with ESMTP id 2adwfvtehf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 19 May 2017 13:20:45 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb6.msg.corp.akamai.com (172.27.123.65) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 19 May 2017 10:20:44 -0700 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1263.000; Fri, 19 May 2017 13:20:44 -0400 From: "Salz, Rich" To: Scott Kitterman , "dcrup@ietf.org" Thread-Topic: [Dcrup] New algorithm availability was: Re: draft-ietf-dcrup-dkim-crypto-00 Thread-Index: AQHS0MPu2oI6u3Zok0ao5HoXx74mIaH75obQ Date: Fri, 19 May 2017 17:20:43 +0000 Message-ID: <4ff2a3a3ce94418489111c61aea21489@usma1ex-dag1mb1.msg.corp.akamai.com> References: <20170519143049.4908.qmail@ary.lan> <4250639.jMYMH1ii8S@kitterma-e6430> In-Reply-To: <4250639.jMYMH1ii8S@kitterma-e6430> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.35.116] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-05-19_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705190108 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-05-19_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705190108 Archived-At: Subject: Re: [Dcrup] New algorithm availability was: Re: draft-ietf-dcrup-dkim-crypto-00 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 17:20:50 -0000 > Generally, yes, but DKIM verifiers don't support it currently, so for thi= s > purpose, not yet. This issue of "we need to move forward; we have an installed base" is not n= ew. RSA2K doesn't fit in many DNS TXT records, so I think that will be an = additional driver to upgrade. You may disagree. From nobody Fri May 19 10:36:37 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CCD2129A8D for ; Fri, 19 May 2017 10:36:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9yPvdflh2Ye7 for ; Fri, 19 May 2017 10:36:34 -0700 (PDT) Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B230D129789 for ; Fri, 19 May 2017 10:36:34 -0700 (PDT) Received: from pps.filterd (m0050096.ppops.net [127.0.0.1]) by m0050096.ppops.net-00190b01. (8.16.0.21/8.16.0.21) with SMTP id v4JHQxep012025; Fri, 19 May 2017 18:36:32 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=jan2016.eng; bh=yG7HzC5HC43zGtmRJvho+AS+rLrXNOSMs+nm/jMUp2o=; b=Loum/LJRYrqEtKGKrfRtcEDBzyaqJWAWbk+N8z6tA4m3tOoqkhmeVLhfo1/nQiHEAfJJ S8S+e97fHtUc4osRH2Wd5q38TzvYaLNzCBMUTrXbwf2eF2OuLcc44Eq+PQco6LCcUVqX GGKNYPgHyrRNzaRcC2WGCl3iY/uwU2RHOt2BtVafZF/IeX+wU1IQmfPa0withtoGi8r0 jUwI5SWU1J+VFoP574qDapZHbL+X3KaHD7n0DNaunf4nLhhGHzmP9pFhoAqxoqTy4rGZ vEDV4SYZjM15NUj1pWHJQPH3YnTfan315L/KOutGflaPZGWyhODbYhaiUhEorbhmEmF1 TA== Received: from prod-mail-ppoint1 (a184-51-33-18.deploy.static.akamaitechnologies.com [184.51.33.18] (may be forged)) by m0050096.ppops.net-00190b01. with ESMTP id 2ahya7j10q-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 19 May 2017 18:36:31 +0100 Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.0.17/8.16.0.17) with SMTP id v4JHZf0J019011; Fri, 19 May 2017 13:36:31 -0400 Received: from email.msg.corp.akamai.com ([172.27.123.32]) by prod-mail-ppoint1.akamai.com with ESMTP id 2adwfugve7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 19 May 2017 13:36:31 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb2.msg.corp.akamai.com (172.27.123.102) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 19 May 2017 13:36:30 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1263.000; Fri, 19 May 2017 13:36:30 -0400 From: "Salz, Rich" To: John Levine , "dcrup@ietf.org" Thread-Topic: [Dcrup] draft-ietf-dcrup-dkim-crypto-00 Thread-Index: AQHS0JZPa6MFSHAU0E2PcZUdKc0X+qH73o+AgAAcV4CAAAMVgP//yO4wgABKJAD//9hywA== Date: Fri, 19 May 2017 17:36:29 +0000 Message-ID: <88797f820fc540debef7d0fdb5f4cc92@usma1ex-dag1mb1.msg.corp.akamai.com> References: <20170519155006.5267.qmail@ary.lan> In-Reply-To: <20170519155006.5267.qmail@ary.lan> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.35.116] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-05-19_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705190111 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-05-19_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705190110 Archived-At: Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 17:36:36 -0000 PiBHaXZlbiBob3cgc2hvcnQgdGhleSBib3RoIGFyZSwgSSdkIGxpa2UgdG8ga2VlcCB0aGVtIHRv Z2V0aGVyIGZvciBub3cuDQoNCk9rLg0KDQpTcGVha2luZyBhcyBhbiBpbmRpdmlkdWFsLCBJJ2Qg bGlrZSB0byBlbXBoYXNpemUgd2hhdCBNYXJrIHNhaWQuICBFQ0RIIGlzIGEga2V5IGV4Y2hhbmdl IHByb3RvY29sLCBub3QgYSBzaWduaW5nIHByb3RvY29sLiAgRm9yIGVsbGlwdGljIGN1cnZlIHNp Z25hdHVyZXMsIHRoZSBkb2N1bWVudCBzaG91bGQgdXNlIGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0 Zi5vcmcvZG9jL2RyYWZ0LWlldGYtY3VyZGxlLWNtcy1lZGRzYS1zaWduYXR1cmVzLyB3aGljaCBp cyBub3cgaW4gSUVTRyBsYXN0IGNhbGwuICBOb3RlIHRoYXQgdGhlIGhhc2ggbWVjaGFuaXNtIGlz IGltcGxpY2l0IGluIHRoZSBzaWduYXR1cmUgYWxnb3JpdGhtLg0KDQpUaGUga2V5IGZpbmdlcnBy aW50IG5lZWRzIG1vcmUgY2xhcmlmaWNhdGlvbi4gIEZvciAyNTUxOSBrZXlzLCB0aGVyZSBpcyBh ICJuYXR1cmFsIGFuZCBvYnZpb3VzIiBieXRlIHJlcHJlc2VudGF0aW9uLCBidXQgZm9yIFJTQSBr ZXlzIHdoYXQgaXMgIGJlaW5nIGZpbmdlcnByaW50ZWQ/ICBUaGUgREVSIE9DVEVUIFNUUklORz8g IA0K From nobody Fri May 19 10:40:16 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6934B129A99 for ; Fri, 19 May 2017 10:40:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.381 X-Spam-Level: X-Spam-Status: No, score=0.381 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_FONT_FACE_BAD=0.981, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c5f7pBfRzLxc for ; Fri, 19 May 2017 10:40:12 -0700 (PDT) Received: from mail-qt0-x235.google.com (mail-qt0-x235.google.com [IPv6:2607:f8b0:400d:c0d::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0369B1287A7 for ; Fri, 19 May 2017 10:40:11 -0700 (PDT) Received: by mail-qt0-x235.google.com with SMTP id c13so63722155qtc.1 for ; Fri, 19 May 2017 10:40:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=6qoslcEAaoHuMT4cqcg1jS8hg7RGWr0rg8ntZpUvdcs=; b=E1DicSkgOOTdvp5fNhZL7hyU4bTpXrW17zkJO2+UQg8uwRpd/qjd7Y6yaOLaFOUO3M 4fFFkbnaImojuz2djZJJUkOSawqh63IpQIJ4Wu/XYpNz3b4R/C9y8BdJpQb9S9WjGgFM Byfus+7jfgfpdWZubyzuMOLaYRgPBKnN3vyzsZAwKHIbUy/yGVzvpUU35/e2AJI/vlSf gWQYXIsAEg3YpYXrX0htezNAdIS9omlSwg1J+9clLpi7O4WhiqrddyjTVJJ2bNeJzYOa G69f+9RZfq8i83+4vwBi21AubCcOPXKII0Pz+q6OgpG06YaB6CZdD11Fi/UXcx5RzOAA UKNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=6qoslcEAaoHuMT4cqcg1jS8hg7RGWr0rg8ntZpUvdcs=; b=XR1mXq8kIzj/gWbie4a0aRey6BTk/hYED1qObk1d/s1L06IYt4vSb33lhmHxYSJA0m UG+CvPX4bwYciqshhu0+x18VXUSL33/hTrHGMd7J9iE1RlBzEm76cr0jlJOdkFAnI3JA qoCoNhzW3PDb3E6EoHChr/JexWi+5bUN8vufFd77tW7qhpCv1XdWn2ygy1ONriChtK8x gOiDdYk4Hqd/lwJfkZkm3zx9UHeuHLT8mK0iwPSrJ4BfNF+MdnFSnygWHnfsNl02wM8O CN/d7W2+zbyvctoUUgAsPlZFNl8HBtKSKJM7vjLmKegpSmALe5lq7pPJPx6UQwKUmkjI KK+A== X-Gm-Message-State: AODbwcDcSXwIJ+uRZRbT3/R9p/hhZ9P5UX9IbfgESzgdV270YX2D1Rqw Pf5xT4uhACb350yC7pCCGjESsmLUxKaIsx0= X-Received: by 10.200.55.6 with SMTP id o6mr9949936qtb.236.1495215611092; Fri, 19 May 2017 10:40:11 -0700 (PDT) MIME-Version: 1.0 Received: by 10.12.185.152 with HTTP; Fri, 19 May 2017 10:40:10 -0700 (PDT) In-Reply-To: <360CB42F-6B1A-4A6F-95D2-EFF36C449EBB@vigilsec.com> References: <20170519144243.4945.qmail@ary.lan> <360CB42F-6B1A-4A6F-95D2-EFF36C449EBB@vigilsec.com> From: Peter Goldstein Date: Fri, 19 May 2017 10:40:10 -0700 Message-ID: To: Russ Housley Cc: dcrup@ietf.org Content-Type: multipart/alternative; boundary="001a1140a0b05cb4b1054fe40377" Archived-At: Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 17:40:15 -0000 --001a1140a0b05cb4b1054fe40377 Content-Type: text/plain; charset="UTF-8" It's going to be hard to move straight to 2048 bit RSA as the minimum key size. The challenges with 2048 bit RSA are largely an issue of the limitations of the DNS infrastructure in use by the sending domain. In some DNS managers, the Web UIs (and occasionally the underlying infrastructure) don't allow domain owners to enter records that are larger than 512 octets. Users of these DNS managers generally cannot provision 2048 bit key DKIM TXT records. That's a problem for self-managed infrastrucutre and email services that provide TXT records for DKIM. Also, as far as I'm aware almost none of the existing email service providers offers the option of a 2048 bit DKIM key out of the box. For those systems that use CNAMEs, upgrading to 2048 bit keys will be relatively straightforward. But for those that distribute TXT records (most of them), they will face more of a challenge to upgrade their users to 2048 bit keys - both because of the above domain limitations and because they're going to need to get their customers to make DNS changes. Given the above, Scott's suggested approach for RSA sounds like the right one - especially if we can combine it with statements from the large receivers that they will plan to sunset support for 1024 bit keys (much as they did for 512 bit keys) at some point in the future. That will both incentivize domain owners and email services to upgrade their key size to 2048 and give the ecosystem time to adjust. That said, I think it's also important to start the process of transitioning to Elliptic Curve. Defining the updates to the spec, getting some software to support it (i.e. OpenDKIM), and working with the large receivers to get them onboard are all steps that can be taken in parallel with Scott's suggested approach for RSA keys. Best, Peter On Fri, May 19, 2017 at 10:02 AM, Russ Housley wrote: > >> I suggest that 2048 bit RSA be considered the minimum key size. > >> Samller sizes are not really safe these days. > > I'm surprised to hear this. Remember that DKIM signatures are > > relatively low value and not intended to be archival. They're > > typically verified within a day of being signed, and the design > > encourages key rotation (although I admit that in practice most people > > don't rotate very often.) > > > > How much effort does it take to crack a 1k signature? > > NIST has told everyone to move away from SHA-1 for for all uses except > HMAC-SHA-1. > > NIST has told everyone to move toward RSA with 2048 bit keys, even for > entity authentication applications like DKIM. > > If RSA keys of that size are a problem, then it it time to start the > transition to Elliptic Curve. We know it will not happen the day the RFC > gets published. > > Russ > > _______________________________________________ > Dcrup mailing list > Dcrup@ietf.org > https://www.ietf.org/mailman/listinfo/dcrup > -- [image: logo for sig file.png] Bringing Trust to Email Peter Goldstein | CTO & Co-Founder peter@valimail.com +1.415.793.5783 --001a1140a0b05cb4b1054fe40377 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
It's going to be hard to move straight to 2048 bi= t RSA as the minimum key size.=C2=A0

The challenge= s with 2048 bit RSA are largely an issue of the limitations of the DNS infr= astructure in use by the sending domain.=C2=A0 In some DNS managers, the We= b UIs (and occasionally the underlying infrastructure) don't allow doma= in owners to enter records that are larger than 512 octets.=C2=A0 Users of = these DNS managers generally cannot provision 2048 bit key DKIM TXT records= .=C2=A0 That's a problem for self-managed infrastrucutre and email serv= ices that provide TXT records for DKIM.

Also, as f= ar as I'm aware almost none of the existing email service providers off= ers the option of a 2048 bit DKIM key out of the box.=C2=A0 For those syste= ms that use CNAMEs, upgrading to 2048 bit keys will be relatively straightf= orward.=C2=A0 But for those that distribute TXT records (most of them), the= y will face more of a challenge to upgrade their users to 2048 bit keys - b= oth because of the above domain limitations and because they're going t= o need to get their customers to make DNS changes.

Given the above, Scott's suggested approach for RSA sounds like the ri= ght one - especially if we can combine it with statements from the large re= ceivers that they will plan to sunset support for 1024 bit keys (much as th= ey did for 512 bit keys) at some point in the future.=C2=A0 That will both = incentivize domain owners and email services to upgrade their key size to 2= 048 and give the ecosystem time to adjust.
<= /font>
That said, I think it's also important to start the process= of transitioning to Elliptic=C2=A0Curve.=C2= =A0 Defining the updates to the spec, getting some software to support it (= i.e. OpenDKIM), and working with the large receivers to get them onboard ar= e all steps that can be taken in parallel with Scott's suggested approa= ch for RSA keys.

Best,

Peter

On Fri, May 19, 2017= at 10:02 AM, Russ Housley <housley@vigilsec.com> wrote:<= br>
>> I suggest that = 2048 bit RSA be considered the minimum key size.
>> Samller sizes are not really safe these days.
> I'm surprised to hear this.=C2=A0 Remember that DKIM signatures ar= e
> relatively low value and not intended to be archival.=C2=A0 They'r= e
> typically verified within a day of being signed, and the design
> encourages key rotation (although I admit that in practice most people=
> don't rotate very often.)
>
> How much effort does it take to crack a 1k signature?

NIST has told everyone to move away from SHA-1 for for all uses exce= pt HMAC-SHA-1.

NIST has told everyone to move toward RSA with 2048 bit keys, even for enti= ty authentication applications like DKIM.

If RSA keys of that size are a problem, then it it time to start the transi= tion to Elliptic Curve.=C2=A0 We know it will not happen the day the RFC ge= ts published.

Russ

_______________________________________________
Dcrup mailing list
Dcrup@ietf.org
https://www.ietf.org/mailman/listinfo/dcrup



--
=
=


3D"logo

Bringing Trust to= Email

Peter Goldstei= n | CTO & Co-Founder

peter@valimail.= com

+1.415.793.57= 83
<= /div>
--001a1140a0b05cb4b1054fe40377-- From nobody Fri May 19 10:42:34 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 801C3129789 for ; Fri, 19 May 2017 10:42:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.579 X-Spam-Level: * X-Spam-Status: No, score=1.579 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XZiEJFTINyMm for ; Fri, 19 May 2017 10:42:31 -0700 (PDT) Received: from miucha.iecc.com (www.iecc.com [IPv6:2001:470:1f07:1126::4945:4343]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E0711287A7 for ; Fri, 19 May 2017 10:42:30 -0700 (PDT) Received: (qmail 95540 invoked from network); 19 May 2017 17:42:29 -0000 Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 19 May 2017 17:42:29 -0000 Date: 19 May 2017 17:42:07 -0000 Message-ID: <20170519174207.5556.qmail@ary.lan> From: "John Levine" To: dcrup@ietf.org Cc: rsalz@akamai.com In-Reply-To: <4ff2a3a3ce94418489111c61aea21489@usma1ex-dag1mb1.msg.corp.akamai.com> Organization: X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [Dcrup] New algorithm availability was: Re: draft-ietf-dcrup-dkim-crypto-00 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 17:42:32 -0000 In article <4ff2a3a3ce94418489111c61aea21489@usma1ex-dag1mb1.msg.corp.akamai.com> you write: >> Generally, yes, but DKIM verifiers don't support it currently, so for this >> purpose, not yet. > >This issue of "we need to move forward; we have an installed base" is not new. RSA2K doesn't fit in many DNS TXT >records, so I think that will be an additional driver to upgrade. You may disagree. Just to make it clear, 2K keys fit in TXT records just fine. The problem is provisioning crudware that can't handle TXT records with more than one string. This is a really stupid problem, but it's one that is not going away any time soon, hence the two approaches to putting shorter keys or key hashes in the DNS. R's, John From nobody Fri May 19 10:46:31 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 143E4129AB0 for ; Fri, 19 May 2017 10:46:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.698 X-Spam-Level: X-Spam-Status: No, score=0.698 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kitterman.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UNzxTGjO_bE2 for ; Fri, 19 May 2017 10:46:29 -0700 (PDT) Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BC20129AA0 for ; Fri, 19 May 2017 10:46:29 -0700 (PDT) Received: from kitterma-e6430.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 2BF4FC4010C for ; Fri, 19 May 2017 12:46:28 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=201409; t=1495215988; bh=LlmNxSGUjq2+OpTT8GC3VZetw0AYC/oHRCRvxHjZTZM=; h=From:To:Subject:Date:In-Reply-To:References:From; b=zyiR6Yxlwg5ccvnMjzH/nCjOL17yuxVsDD3MbAg+jo4S4NR3PD+Ok2U0SleL3wUTn MJBLOlQ5yzCIj5gFJ2JBGKH/eFsYbzT2xyw4g2XUBA3FAJkoGmbLYgDKqlt4fYkQHI RipNg9Azdmsd+u3gd0g1a12zVQPQWyN15Jc8dCgM= From: Scott Kitterman To: dcrup@ietf.org Date: Fri, 19 May 2017 13:46:27 -0400 Message-ID: <4953918.gJaR4Uu6GM@kitterma-e6430> User-Agent: KMail/4.13.3 (Linux/3.13.0-119-generic; KDE/4.13.3; x86_64; ; ) In-Reply-To: <4ff2a3a3ce94418489111c61aea21489@usma1ex-dag1mb1.msg.corp.akamai.com> References: <20170519143049.4908.qmail@ary.lan> <4250639.jMYMH1ii8S@kitterma-e6430> <4ff2a3a3ce94418489111c61aea21489@usma1ex-dag1mb1.msg.corp.akamai.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Archived-At: Subject: Re: [Dcrup] New algorithm availability was: Re: draft-ietf-dcrup-dkim-crypto-00 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 17:46:30 -0000 On Friday, May 19, 2017 05:20:43 PM Salz, Rich wrote: > > Generally, yes, but DKIM verifiers don't support it currently, so for this > > purpose, not yet. > > This issue of "we need to move forward; we have an installed base" is not > new. RSA2K doesn't fit in many DNS TXT records, so I think that will be an > additional driver to upgrade. You may disagree. I agree there will be drivers to upgrade, but regardless of the drivers, upgrades take time. I think we have two problems to address: 1. What can be done within the scope of deployed software that was developed based on the RFC 6376 requirements (which can be deployed now) 2. What should be done to modernize crypto for DKIM for the longer term that, while it will require software upgrades, will keep DKIM fit for purpose for a long (FSVO long) time. I think they both are important. I think the first one is really easy to specify and cross off the list (I am personally very interested in being able to tell people "No, I don't have to verify your 512 bit key. RFC 6376 has been updated by RFC XXXX. Please join the latter half of the second decade of the 21st century). It's likely we disagree less than I infer you imagine. Scott K From nobody Fri May 19 10:52:00 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F656129ADF for ; Fri, 19 May 2017 10:51:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tSn1573Y2Bs4 for ; Fri, 19 May 2017 10:51:54 -0700 (PDT) Received: from mx0b-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 273B0129ADD for ; Fri, 19 May 2017 10:51:54 -0700 (PDT) Received: from pps.filterd (m0050093.ppops.net [127.0.0.1]) by m0050093.ppops.net-00190b01. (8.16.0.21/8.16.0.21) with SMTP id v4JHfubW012381; Fri, 19 May 2017 18:51:52 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=jan2016.eng; bh=pjpnGcJWOCjCWDLNxmRtQHAtAXvLErMTbBdX9IFSRv4=; b=i3m9CgCgkYhsGMQDs9qrIjQXscneZOMiL7dhPChJ11rM8nKrbLurwLJ00gGgrHzlewJY JarNF/cdmuIzVQFlkW5pqj+tkk4BNMJrlEpiLjtm4WGPWfFiq27hxKPhwLjtUquJ8Tjn UhsS4ryJJaUvNNjFKz/5CWAeIIfCY+x0y4CrtxvQhNlXNm+FQz6xZxC0kKw61qbdH0Ii b4BhdjCHD/yYsfeJJwH4WA5O7xbEjOdOWxluF8tbOQY/cDX5F0fTMz2TI8YitxHhsZ8n fLeQOcDKNN/hTfs0hqj13Oxp9zs+Y9ACn8NU9y1KzT/TIR3XwSXJoqprHp+k1fXkjuN7 gg== Received: from prod-mail-ppoint2 (a184-51-33-19.deploy.static.akamaitechnologies.com [184.51.33.19] (may be forged)) by m0050093.ppops.net-00190b01. with ESMTP id 2aj32a8vgu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 19 May 2017 18:51:52 +0100 Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.17/8.16.0.17) with SMTP id v4JHp16f030404; Fri, 19 May 2017 13:51:51 -0400 Received: from email.msg.corp.akamai.com ([172.27.123.33]) by prod-mail-ppoint2.akamai.com with ESMTP id 2adwfugwhr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 19 May 2017 13:51:50 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb1.msg.corp.akamai.com (172.27.123.101) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 19 May 2017 13:51:50 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1263.000; Fri, 19 May 2017 13:51:50 -0400 From: "Salz, Rich" To: Scott Kitterman , "dcrup@ietf.org" Thread-Topic: [Dcrup] New algorithm availability was: Re: draft-ietf-dcrup-dkim-crypto-00 Thread-Index: AQHS0MPu2oI6u3Zok0ao5HoXx74mIaH75obQgABKroD//740QA== Date: Fri, 19 May 2017 17:51:50 +0000 Message-ID: <810f08ddcffe4dd8823baf99d649622b@usma1ex-dag1mb1.msg.corp.akamai.com> References: <20170519143049.4908.qmail@ary.lan> <4250639.jMYMH1ii8S@kitterma-e6430> <4ff2a3a3ce94418489111c61aea21489@usma1ex-dag1mb1.msg.corp.akamai.com> <4953918.gJaR4Uu6GM@kitterma-e6430> In-Reply-To: <4953918.gJaR4Uu6GM@kitterma-e6430> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.35.116] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-05-19_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705190112 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-05-19_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705190112 Archived-At: Subject: Re: [Dcrup] New algorithm availability was: Re: draft-ietf-dcrup-dkim-crypto-00 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 17:51:57 -0000 > It's likely we disagree less than I infer you imagine. I think we don't disagree at all. I'm just more optimistic about ECC deplo= yment. :) I look forward to your draft! From nobody Fri May 19 11:01:06 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E6FF129AB0 for ; Fri, 19 May 2017 11:01:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.799 X-Spam-Level: X-Spam-Status: No, score=0.799 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pYPm5VT9sMKc for ; Fri, 19 May 2017 11:01:02 -0700 (PDT) Received: from mail.wordtothewise.com (mail.wordtothewise.com [184.105.179.154]) by ietfa.amsl.com (Postfix) with ESMTP id 4C4F9129458 for ; Fri, 19 May 2017 11:01:02 -0700 (PDT) Received: from [IPv6:2001:470:1f05:33:b068:b83d:5199:64e8] (unknown [IPv6:2001:470:1f05:33:b068:b83d:5199:64e8]) by mail.wordtothewise.com (Postfix) with ESMTPSA id 788CB23379 for ; Fri, 19 May 2017 11:01:15 -0700 (PDT) From: Steve Atkins Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Date: Fri, 19 May 2017 11:01:01 -0700 References: <20170519150639.5129.qmail@ary.lan> To: dcrup@ietf.org In-Reply-To: <20170519150639.5129.qmail@ary.lan> Message-Id: <7C8DBA8A-F18E-450C-B4C9-D3784FB9E8C3@blighty.com> X-Mailer: Apple Mail (2.3273) Archived-At: Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 18:01:05 -0000 > On May 19, 2017, at 8:06 AM, John Levine wrote: >=20 > In article you = write: >>> Perhaps to read section 4 of the draft? >>=20 >> What currently available DKIM software supports that approach? I = don't think any, so I believe that the question of what operators should = do until new software can be developed and deployed is still open. >=20 > None. In fact, I am reasonably sure that 1K keys are plenty strong > for DKIM for the next few years. =20 Likely big enough for the near future, yes (and 1.5k keys for longer = still, and even 2k keys are less than 400 bytes long, which still leaves = plenty of space in a 512 byte response). > As I noted, DKIM keys and signatures > are intended to be short lived. That was the plan, but in practice DKIM selectors (and presumably the = associated key pairs) seem to be commonly deployed once, when the user = sets up DKIM and never changed until the mail infrastructure is next = updated. The organizations represented here are probably better at key rotation = than most and here I see selectors of "jan2016.eng", "20161025" and = "ietf1", none of which suggest regular rotation. They're not short-lived and (unless we somehow enforce key rotation) our = crypto decisions should probably be informed by that. Cheers, Steve From nobody Fri May 19 11:18:08 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19FD9129ADE for ; Fri, 19 May 2017 11:18:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h8y4MDntU3pb for ; Fri, 19 May 2017 11:18:04 -0700 (PDT) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A83A1293EC for ; Fri, 19 May 2017 11:18:04 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id D192A30056B for ; Fri, 19 May 2017 14:18:03 -0400 (EDT) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id lmaKyirA_LRV for ; Fri, 19 May 2017 14:18:02 -0400 (EDT) Received: from new-host-6.home (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id E8046300408 for ; Fri, 19 May 2017 14:18:02 -0400 (EDT) From: Russ Housley Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Date: Fri, 19 May 2017 14:18:02 -0400 References: <20170519155006.5267.qmail@ary.lan> <88797f820fc540debef7d0fdb5f4cc92@usma1ex-dag1mb1.msg.corp.akamai.com> To: "dcrup@ietf.org" In-Reply-To: <88797f820fc540debef7d0fdb5f4cc92@usma1ex-dag1mb1.msg.corp.akamai.com> Message-Id: <3203B73D-11C6-4B7D-A1B3-824DFBBC55E3@vigilsec.com> X-Mailer: Apple Mail (2.3273) Archived-At: Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 18:18:06 -0000 > On May 19, 2017, at 1:36 PM, Salz, Rich wrote: >=20 >> Given how short they both are, I'd like to keep them together for = now. >=20 > Ok. >=20 > Speaking as an individual, I'd like to emphasize what Mark said. ECDH = is a key exchange protocol, not a signing protocol. For elliptic curve = signatures, the document should use = https://datatracker.ietf.org/doc/draft-ietf-curdle-cms-eddsa-signatures/ = which is now in IESG last call. Note that the hash mechanism is = implicit in the signature algorithm. I can make argument for both Ed25519 and ECDSA P256 with SHA-256. I = know that the second one is widely available via OpenSSL. Russ From nobody Fri May 19 11:48:42 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACA4A12947D for ; Fri, 19 May 2017 11:48:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.678 X-Spam-Level: X-Spam-Status: No, score=0.678 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=X5Xd6sow; dkim=pass (1536-bit key) header.d=taugh.com header.b=Q1b1F3Ff Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nDMUotrwb0RV for ; Fri, 19 May 2017 11:48:39 -0700 (PDT) Received: from miucha.iecc.com (www.iecc.com [IPv6:2001:470:1f07:1126::4945:4343]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63ED71273B1 for ; Fri, 19 May 2017 11:48:39 -0700 (PDT) Received: (qmail 3479 invoked from network); 19 May 2017 18:48:38 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=d95.591f3e06.k1705; bh=GpL6o6xbRXz1pDolvnXVvV/hDsvJNcWo+Pgp+95ADMQ=; b=X5Xd6sowchkQFtUd/qzeDPNmFBS5o1x+gHvLiDdwE6h6wzafRqnnyb6DVqQEBFS3kxwi3ix5I7XnORmKnz1uqK4ZL2irozk0slKj5T8NKRXdKw8KRaViHHm5KwMJ7n9FUdiifW1hbvGI7FKKZtF8vKymqY1hPDEcgoyjJnuZ9itDKoWXPPD5mHM9rJeBO+n+BaA1oNqV6/eYdKz2FjFLHmcurU5SrsUU7f9b0qoCd7ixrBWTOcqMmY4bhmLCuabb DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=d95.591f3e06.k1705; bh=GpL6o6xbRXz1pDolvnXVvV/hDsvJNcWo+Pgp+95ADMQ=; b=Q1b1F3FfKeaRjzPLTe+hvxB44dDResJKMhv063ynw2mwlPBBei2TVgvoCQWyYaEiUSMGiNjpZW2QwAq6URXfBYzWbVUhOQ/QOEXtiQcTcerXivR+p/zqsq+zMQ95WKMM3hP47kt6heCQA0LSuz7gfGSioLq6mTIbthq8n/CF5JjW5FlIdEyepv/6uHMIa0lRYvXTRUu6Mq0d227np7uMGTuBHJPgvIz/EdeNHptHmUxxWrKdjBvuvDGFNG6I80S0 Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 19 May 2017 18:48:38 -0000 Date: 19 May 2017 14:48:38 -0400 Message-ID: From: "John R Levine" To: "Salz, Rich" Cc: "dcrup@ietf.org" In-Reply-To: <88797f820fc540debef7d0fdb5f4cc92@usma1ex-dag1mb1.msg.corp.akamai.com> References: <20170519155006.5267.qmail@ary.lan> <88797f820fc540debef7d0fdb5f4cc92@usma1ex-dag1mb1.msg.corp.akamai.com> User-Agent: Alpine 2.21 (OSX 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 18:48:41 -0000 > Speaking as an individual, I'd like to emphasize what Mark said. ECDH is a key exchange protocol, not a signing protocol. For elliptic curve signatures, the document should use https://datatracker.ietf.org/doc/draft-ietf-curdle-cms-eddsa-signatures/ which is now in IESG last call. Note that the hash mechanism is implicit in the signature algorithm. That's fine, like I said I don't purport to be a crypto expert. Even better, send text. > The key fingerprint needs more clarification. For 25519 keys, there is > a "natural and obvious" byte representation, but for RSA keys what is > being fingerprinted? The DER OCTET STRING? IIM had key fingerprints. Perhaps Jim can tell us what it did. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly From nobody Fri May 19 11:58:19 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02ED712948A for ; Fri, 19 May 2017 11:58:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.102 X-Spam-Level: X-Spam-Status: No, score=-0.102 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bluepopcorn.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bA7Onv5EFaU2 for ; Fri, 19 May 2017 11:58:15 -0700 (PDT) Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 997AB129B04 for ; Fri, 19 May 2017 11:58:14 -0700 (PDT) Received: from splunge.local (c-67-187-243-206.hsd1.ca.comcast.net [67.187.243.206]) (authenticated bits=0) by v2.bluepopcorn.net (8.14.4/8.14.4/Debian-8+deb8u1) with ESMTP id v4JIwCcR007261 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Fri, 19 May 2017 11:58:14 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bluepopcorn.net; s=supersize; t=1495220294; bh=LHxvPI8gdQyDOAr7SoEx43gsSVHduZzgV+sO2AugoOs=; h=Subject:To:References:From:Date:In-Reply-To; b=bJB+vrXTZUQF+qdekYeRkbcftlS3y7e47TBMNuJqIBKxJJpJ4U8s0P+yAeySB5Mf9 M5HQSPJtjtozWsFBK/p78dKYoWzNit7c/03rUt42fSXw+KxunbgVUwlbXtllnjw56O 1vhCA6tT3Zt7do72Gn7lXSbikUEgMmmyHmYzX9VM= To: dcrup@ietf.org References: <20170519155006.5267.qmail@ary.lan> <88797f820fc540debef7d0fdb5f4cc92@usma1ex-dag1mb1.msg.corp.akamai.com> From: Jim Fenton Message-ID: <6f97637b-baff-03b4-6006-7a143719d2f1@bluepopcorn.net> Date: Fri, 19 May 2017 11:58:09 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------EFB846DF723942F26238BE8B" Archived-At: Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 18:58:17 -0000 This is a multi-part message in MIME format. --------------EFB846DF723942F26238BE8B Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit On 5/19/17 11:48 AM, John R Levine wrote: >> Speaking as an individual, I'd like to emphasize what Mark said. >> ECDH is a key exchange protocol, not a signing protocol. For >> elliptic curve signatures, the document should use >> https://datatracker.ietf.org/doc/draft-ietf-curdle-cms-eddsa-signatures/ >> which is now in IESG last call. Note that the hash mechanism is >> implicit in the signature algorithm. > > That's fine, like I said I don't purport to be a crypto expert. Even > better, send text. > >> The key fingerprint needs more clarification. For 25519 keys, there >> is a "natural and obvious" byte representation, but for RSA keys what >> is being fingerprinted? The DER OCTET STRING? > > IIM had key fingerprints. Perhaps Jim can tell us what it did. >From https://www.ietf.org/archive/id/draft-fenton-identified-mail-02.txt : The fingerprint is created as follows: create the binary representation of the RSA exponent (e) and modulus (n) and concatenate them as e|n. Run this value through SHA1 over the full length and convert the first 12 bytes of the output of the SHA1 operation to base 64. That is, base64 (TRUNC (SHA1 ((e|n)),12) -Jim --------------EFB846DF723942F26238BE8B Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 8bit
On 5/19/17 11:48 AM, John R Levine wrote:
Speaking as an individual, I'd like to emphasize what Mark said.  ECDH is a key exchange protocol, not a signing protocol.  For elliptic curve signatures, the document should use https://datatracker.ietf.org/doc/draft-ietf-curdle-cms-eddsa-signatures/ which is now in IESG last call.  Note that the hash mechanism is implicit in the signature algorithm.

That's fine, like I said I don't purport to be a crypto expert.  Even better, send text.

The key fingerprint needs more clarification.  For 25519 keys, there is a "natural and obvious" byte representation, but for RSA keys what is being fingerprinted?  The DER OCTET STRING?

IIM had key fingerprints.  Perhaps Jim can tell us what it did.

From https://www.ietf.org/archive/id/draft-fenton-identified-mail-02.txt :

The fingerprint is created as follows: create the binary
representation of the RSA exponent (e) and modulus (n) and
concatenate them as e|n.  Run this value through SHA1 over the
full length and convert the first 12 bytes of the output of the
SHA1 operation to base 64.  That is, base64 (TRUNC (SHA1 ((e|n)),12)

-Jim


--------------EFB846DF723942F26238BE8B--


From nobody Fri May 19 12:00:54 2017
Return-Path: 
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DF2F129B40 for ; Fri, 19 May 2017 12:00:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level: 
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3TG590e9IYrR for ; Fri, 19 May 2017 12:00:52 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92EA9129B26 for ; Fri, 19 May 2017 12:00:46 -0700 (PDT)
Received: from pps.filterd (m0050093.ppops.net [127.0.0.1]) by m0050093.ppops.net-00190b01. (8.16.0.21/8.16.0.21) with SMTP id v4JIvDWn023689; Fri, 19 May 2017 20:00:40 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=jan2016.eng; bh=1jFbF57FvKO3mb/byKivJpwCjw3/1LH9/nKgui2L9sQ=; b=DcQ/o2snkphXJu+wdqKIo/UwEbLKzem60r0hIa8abyqmoOFA3CoNXlsBINrT52TKiI4k pxe59BGEGwmCJxol/iBFOJwmL+gjaDwcPjDGADh96+XYzNBEWcz3zWq5DwwGE+9Pl6CZ FjluiqlYr62tJeaIGfcXvNoqf8Nxb8KEG0DPZAlzk8wxis251QA1sl+6N1GdA3qbtvOD v90+PqEZqAZ6fFET+UOC8MyZbhqG+Vq7sjMbrmlEkhs++VznR+eVimvxkoMajn2v4swU FyoxNFcZMNzEPBy9FspCCDt5ry2K6ZdbME6ikTIKJh33Ulai9IZCVVG95PNl1hquKlWP Vw== 
Received: from prod-mail-ppoint2 (a184-51-33-19.deploy.static.akamaitechnologies.com [184.51.33.19] (may be forged)) by m0050093.ppops.net-00190b01. with ESMTP id 2aj32a97rb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 19 May 2017 20:00:40 +0100
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.17/8.16.0.17) with SMTP id v4JIv8bD006903; Fri, 19 May 2017 15:00:38 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.30]) by prod-mail-ppoint2.akamai.com with ESMTP id 2adwfuh31u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 19 May 2017 15:00:38 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb4.msg.corp.akamai.com (172.27.123.104) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 19 May 2017 15:00:37 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1263.000; Fri, 19 May 2017 15:00:37 -0400
From: "Salz, Rich" 
To: Jim Fenton , "dcrup@ietf.org" 
Thread-Topic: [Dcrup] draft-ietf-dcrup-dkim-crypto-00
Thread-Index: AQHS0JZPa6MFSHAU0E2PcZUdKc0X+qH73o+AgAAcV4CAAAMVgP//yO4wgABKJAD//9hywIAAWXAAgAACqID//71+UA==
Date: Fri, 19 May 2017 19:00:37 +0000
Message-ID: <64864194f36f479fad662498e95e4a4e@usma1ex-dag1mb1.msg.corp.akamai.com>
References:  <20170519155006.5267.qmail@ary.lan> <88797f820fc540debef7d0fdb5f4cc92@usma1ex-dag1mb1.msg.corp.akamai.com>  <6f97637b-baff-03b4-6006-7a143719d2f1@bluepopcorn.net>
In-Reply-To: <6f97637b-baff-03b4-6006-7a143719d2f1@bluepopcorn.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.35.116]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-05-19_12:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705190118
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-05-19_12:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705190118
Archived-At: 
Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 19 May 2017 19:00:53 -0000

> The fingerprint is created as follows: create the binary
> representation of the RSA exponent (e) and modulus (n) and

What is the binary representation?  Is it the DER or the native BIGNUM form=
at?


From nobody Fri May 19 12:09:05 2017
Return-Path: 
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFB3E129AB8 for ; Fri, 19 May 2017 12:09:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.698
X-Spam-Level: 
X-Spam-Status: No, score=0.698 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bluepopcorn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yW6kOJZU3GQa for ; Fri, 19 May 2017 12:09:02 -0700 (PDT)
Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E16F71279E5 for ; Fri, 19 May 2017 12:09:02 -0700 (PDT)
Received: from splunge.local (c-67-187-243-206.hsd1.ca.comcast.net [67.187.243.206]) (authenticated bits=0) by v2.bluepopcorn.net (8.14.4/8.14.4/Debian-8+deb8u1) with ESMTP id v4JJ8x8A007369 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 19 May 2017 12:09:01 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bluepopcorn.net; s=supersize; t=1495220941; bh=+kToLTsXjxi0PTvphi4CImdkKo/uSbUniBnrslMT7q0=; h=Subject:To:References:From:Date:In-Reply-To; b=OoLP9Mj0kGBgdKUBL0fN1vfYyHGoqHcm39dS1JE+jLekUZNVuCqUAyqzCloXDYZny LY/0lZpxuMZesEmkk2NIzqeMtP9kSErXn5BrCdXvdbWLnoQZt9NErxpv9Ff4+Sv7K9 ZNkOOEayTIu/qVGtx6SWE7awk5PXf3Gs/XwIzF6w=
To: "Salz, Rich" , "dcrup@ietf.org" 
References:  <20170519155006.5267.qmail@ary.lan> <88797f820fc540debef7d0fdb5f4cc92@usma1ex-dag1mb1.msg.corp.akamai.com>  <6f97637b-baff-03b4-6006-7a143719d2f1@bluepopcorn.net> <64864194f36f479fad662498e95e4a4e@usma1ex-dag1mb1.msg.corp.akamai.com>
From: Jim Fenton 
Message-ID: 
Date: Fri, 19 May 2017 12:08:56 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <64864194f36f479fad662498e95e4a4e@usma1ex-dag1mb1.msg.corp.akamai.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Archived-At: 
Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 19 May 2017 19:09:04 -0000

On 5/19/17 12:00 PM, Salz, Rich wrote:
>> The fingerprint is created as follows: create the binary
>> representation of the RSA exponent (e) and modulus (n) and
> What is the binary representation?  Is it the DER or the native BIGNUM format?

I can't remember; this was back in 2005 and Mike Thomas did the
implementation.

Regardless, I wouldn't do the same thing today. Use SHA256 instead of
SHA1, and I'm not sure the truncation is a good idea.

-Jim


From nobody Fri May 19 13:53:00 2017
Return-Path: 
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B583C129B23 for ; Fri, 19 May 2017 13:52:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.103
X-Spam-Level: 
X-Spam-Status: No, score=-0.103 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kitterman.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tK3GsAQdSJaV for ; Fri, 19 May 2017 13:52:58 -0700 (PDT)
Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [IPv6:2607:f0d0:3001:aa::2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59454129B19 for ; Fri, 19 May 2017 13:52:58 -0700 (PDT)
Received: from kitterma-e6430.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 96EBEC4010C for ; Fri, 19 May 2017 15:52:55 -0500 (CDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=201409; t=1495227175; bh=b2bz1N+2oU6TEFWAEsfT6+oVK7soH51KAH8SD3+3EaQ=; h=From:To:Subject:Date:In-Reply-To:References:From; b=FQZax9rBusKx9jeGLq8U87oUd3T1opr/BfAAg4g/xBelyRzMWq8MJkrX48byB9ZN6 LvqTloSCci/kuS7jGxahnn0mZcmFdDXhP6HlGV1y+iZHaje3/6m2YbbapDRTLsqquR YoYP17ojV5N5dCpnNBnBmm9Tjk1rQfEovPUFZJyk=
From: Scott Kitterman 
To: dcrup@ietf.org
Date: Fri, 19 May 2017 16:52:53 -0400
Message-ID: <4533863.Agf4mVQgKf@kitterma-e6430>
User-Agent: KMail/4.13.3 (Linux/3.13.0-119-generic; KDE/4.13.3; x86_64; ; )
In-Reply-To: <810f08ddcffe4dd8823baf99d649622b@usma1ex-dag1mb1.msg.corp.akamai.com>
References: <20170519143049.4908.qmail@ary.lan> <4953918.gJaR4Uu6GM@kitterma-e6430> <810f08ddcffe4dd8823baf99d649622b@usma1ex-dag1mb1.msg.corp.akamai.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: 
Subject: Re: [Dcrup] New algorithm availability was: Re: draft-ietf-dcrup-dkim-crypto-00
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 19 May 2017 20:53:00 -0000

On Friday, May 19, 2017 05:51:50 PM Salz, Rich wrote:
> > It's likely we disagree less than I infer you imagine.
> 
> I think we don't disagree at all.  I'm just more optimistic about ECC
> deployment. :)
> 
> I look forward to your draft!

Your turn:

Submission status: Awaiting Initial Version Approval

The submission is pending approval by the group chairs.

Scott K


From nobody Fri May 19 18:03:15 2017
Return-Path: 
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF65F12942F for ; Fri, 19 May 2017 18:03:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.479
X-Spam-Level: *
X-Spam-Status: No, score=1.479 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nDMwjViI4QnX for ; Fri, 19 May 2017 18:03:13 -0700 (PDT)
Received: from miucha.iecc.com (www.iecc.com [IPv6:2001:470:1f07:1126::4945:4343]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93880126BF6 for ; Fri, 19 May 2017 18:03:13 -0700 (PDT)
Received: (qmail 41327 invoked from network); 20 May 2017 01:03:12 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:mime-version:content-type:user-agent; s=a16d.591f95d0.k1705; bh=dJ/jXW76Rzz0ZmMgPu05ZG8wb6yaXwzKk7kBOQdebVA=; b=WI25X9V02ISyZpQ8I8Lel1oafJxlZ4vVWFLjNIPVyawg8XrNX3EwHZN3b2HZLw/Dn3SRMm9XBm+7kM5jtNBYeLwMwNZifupoW6QsxSM/EDYAPfwmpbMIDHinEaV6UfA1MJz8tsEPC+RfncNflhCtlWsCJ8IozdEpxfSx0XlG+Abk1roQyFI7BgIu5luc9ri3PZsy4JeSPJKywIcscqcYNyi86z/RWK4cZyi5YupDWp4YHYQXYBMyLmpU3ahpnIM5
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 20 May 2017 01:03:12 -0000
Date: 19 May 2017 21:03:11 -0400
Message-ID: 
From: "John R. Levine" 
To: dcrup@ietf.org
User-Agent: Alpine 2.21 (OSX 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: 
Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sat, 20 May 2017 01:03:15 -0000

In article ,
Peter Goldstein   wrote:
>The challenges with 2048 bit RSA are largely an issue of the limitations of
>the DNS infrastructure in use by the sending domain.  In some DNS managers,
>the Web UIs (and occasionally the underlying infrastructure) don't allow
>domain owners to enter records that are larger than 512 octets.  Users of
>these DNS managers generally cannot provision 2048 bit key DKIM TXT
>records. ...

The problem isn't the 512 byte limit, since a 2K key is under 400
bytes.  The problem is provisioning crudware that can't create TXT
records with two strings.  But until the crudware is updated, which
will likely be never, it's a problem.

R's,
John


From nobody Fri May 19 18:10:07 2017
Return-Path: 
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 425311200C1 for ; Fri, 19 May 2017 18:10:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.318
X-Spam-Level: 
X-Spam-Status: No, score=-0.318 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_FONT_FACE_BAD=0.981, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uJ-DBrc_RqCP for ; Fri, 19 May 2017 18:10:03 -0700 (PDT)
Received: from mail-qk0-x22e.google.com (mail-qk0-x22e.google.com [IPv6:2607:f8b0:400d:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB71B1252BA for ; Fri, 19 May 2017 18:10:02 -0700 (PDT)
Received: by mail-qk0-x22e.google.com with SMTP id a72so73604589qkj.2 for ; Fri, 19 May 2017 18:10:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=79HPzks1NK2LsycnoCIVwVDB0Fe3GDcHBn72vip19iI=; b=gKtko0L8KYs3AdjLO90QO7/pT0o7FaWzl11KSIYQEq/f7HuSr1xODRJ94+2NE/5/GV Grq5Tp7liJu9embJFX7MwFVibc1u9uxLtnZSYw+Prwcy+SfgqlvgRdhX2qnlNR+DBkmF VoqNELjiUuWZkTmWLcQKcaNzaeEgg+vcJnXhY3gbYvMTC0La3HD8KiSgAfGUcnR4L3GR uSs1VS2+QR+Eq7QXA8HoJd6SFR+TTRHeeWI2mwOBJbwfsx3s/R116cH5tDLM7PZTRgC8 ka7mG2STMwbxBJvOREPP1H35IpGJZPE6JSU+D8+HbLb4KfrGJIsj0KHef9EYPflhVfzT GLuw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=79HPzks1NK2LsycnoCIVwVDB0Fe3GDcHBn72vip19iI=; b=ityDwxOojTd9L/jV0tSxLgAyqaZXM/An+bhlivBgyT+PIiNuROk0YW6kTQFRDzCZR6 IEGoci4tou2wyU3IhENug0MerkaO1M40i2zJymKlrYvJEOYu2mDd+QEUtg70876pBwSr vSBf8orxuD5mA0ujIvMKmAvr3P6ZJPlY+BoXMTLufbvODOOYooUzupzSHjNokcrPrPw9 CsB8AMmuyRJ4QxCR9Lp7p44bkphuJmq666542A90alUAQwngOWN56R0clVzuGWzHF1zJ JrqXX8xafw6J5B1oS72Vjt8jKrCT2x5xfCkfIBTMVDau8ckLL85e4/SNq0qtW7z0XNwT bWyw==
X-Gm-Message-State: AODbwcBWCVmyHumkqpR1nkv5CmyJsPHCOakilN6izGCVpcggElHDH8CX I28RMUYIqg0ThM/f5NKKeoLPLyYrbmjYfFE=
X-Received: by 10.55.183.67 with SMTP id h64mr11261564qkf.218.1495242602114; Fri, 19 May 2017 18:10:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.185.152 with HTTP; Fri, 19 May 2017 18:10:01 -0700 (PDT)
In-Reply-To: 
References: 
From: Peter Goldstein 
Date: Fri, 19 May 2017 18:10:01 -0700
Message-ID: 
To: "John R. Levine" 
Cc: dcrup@ietf.org
Content-Type: multipart/alternative; boundary="94eb2c06028e270d13054fea4ce2"
Archived-At: 
Subject: Re: [Dcrup] draft-ietf-dcrup-dkim-crypto-00
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sat, 20 May 2017 01:10:05 -0000

--94eb2c06028e270d13054fea4ce2
Content-Type: text/plain; charset="UTF-8"

Yes, sorry.  You're right - it's the 255 byte limit of the individual
strings that's the issue.

And yes, the crudware will never be updated.

Best,

Peter

On Fri, May 19, 2017 at 6:03 PM, John R. Levine  wrote:

> In article  gmail.com>,
> Peter Goldstein   wrote:
>
>> The challenges with 2048 bit RSA are largely an issue of the limitations
>> of
>> the DNS infrastructure in use by the sending domain.  In some DNS
>> managers,
>> the Web UIs (and occasionally the underlying infrastructure) don't allow
>> domain owners to enter records that are larger than 512 octets.  Users of
>> these DNS managers generally cannot provision 2048 bit key DKIM TXT
>> records. ...
>>
>
> The problem isn't the 512 byte limit, since a 2K key is under 400
> bytes.  The problem is provisioning crudware that can't create TXT
> records with two strings.  But until the crudware is updated, which
> will likely be never, it's a problem.
>
> R's,
> John
>
>
> _______________________________________________
> Dcrup mailing list
> Dcrup@ietf.org
> https://www.ietf.org/mailman/listinfo/dcrup
>



-- 


[image: logo for sig file.png]

Bringing Trust to Email

Peter Goldstein | CTO & Co-Founder

peter@valimail.com
+1.415.793.5783

--94eb2c06028e270d13054fea4ce2
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


Yes, sorry.=C2=A0 You're right - it's the 255 byte=
 limit of the individual strings that's the issue.

A=
nd yes, the crudware will never be updated. =C2=A0

Best,

Peter

On Fri, May 19, 2017 at 6:03 PM,=
 John R. Levine <johnl@iecc.com> wrote:
In article <CAOj=3DBA0gKP9x5jgkZEUJD-=
EJvRSwC0dgmijwbDirsCQT4z0E4Q@mail.gmail.com>,

Peter Goldstein=C2=A0 <peter@valimail.com> wrote:



The challenges with 2048 bit RSA are largely an issue of the limitations of=


the DNS infrastructure in use by the sending domain.=C2=A0 In some DNS mana=
gers,

the Web UIs (and occasionally the underlying infrastructure) don't allo=
w

domain owners to enter records that are larger than 512 octets.=C2=A0 Users=
 of

these DNS managers generally cannot provision 2048 bit key DKIM TXT

records. ...





The problem isn't the 512 byte limit, since a 2K key is under 400

bytes.=C2=A0 The problem is provisioning crudware that can't create TXT=


records with two strings.=C2=A0 But until the crudware is updated, which
will likely be never, it's a problem.



R's,

John




_______________________________________________

Dcrup mailing list

Dcrup@ietf.org

https://www.ietf.org/mailman/listinfo/dcrup





-- 
=

=


3D"logo
Bringing Trust to=
 Email
Peter Goldstei=
n | CTO & Co-Founder
peter@valimail.=
com
+1.415.793.57=
83
<=
/div>




--94eb2c06028e270d13054fea4ce2--


From nobody Fri May 19 19:47:08 2017
Return-Path: 
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD3F612948D for ; Fri, 19 May 2017 19:47:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001,  URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LjFRyoWyjXRD for ; Fri, 19 May 2017 19:47:05 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66B22127011 for ; Fri, 19 May 2017 19:47:05 -0700 (PDT)
Received: from pps.filterd (m0050102.ppops.net [127.0.0.1]) by m0050102.ppops.net-00190b01. (8.16.0.21/8.16.0.21) with SMTP id v4K2SC58028335; Sat, 20 May 2017 03:47:04 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : content-type : content-transfer-encoding : mime-version; s=jan2016.eng; bh=LusgTDZsQ1a7G7XJWfnbTE6LWGqpoDEXzOQMuvr0PPs=; b=RnfYqEofLlbTS5gCrmpAnwsTIerqO1uZEevnopmYxlZ3sDlbA94kSO1TMB1imHWQhaOt QURu/H4lg1f8VY8MWyPJFZoK6OR2vo0CGDWV6Ivfvm+0Grn+7VW6E5BfPR5IZsN87T55 44QSAjs3Sr1PJ7aZJUPfr7uWxj+Hr+gIWRnBFCmgZd+d3F53xmOtvzE2T+ao34s2w9vz lurl73FbvJI173pQX02/Is4yl4WYgWE2afXbZEvXb+nTdpZ1q81GFlHOfQyPkwroSCeV OTuvg3vZK8cwCL+Wi8PSHAcQ/0hehp1p1DNYTw/3CZrup5l4urUh4eXrY8US9cSNx433 yA== 
Received: from prod-mail-ppoint1 (a184-51-33-18.deploy.static.akamaitechnologies.com [184.51.33.18] (may be forged)) by m0050102.ppops.net-00190b01. with ESMTP id 2ajavbrhn9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 20 May 2017 03:47:04 +0100
Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.0.17/8.16.0.17) with SMTP id v4K2R5Of020076; Fri, 19 May 2017 22:47:03 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.34]) by prod-mail-ppoint1.akamai.com with ESMTP id 2adwfuj1pc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 19 May 2017 22:47:03 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb6.msg.corp.akamai.com (172.27.123.65) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 19 May 2017 19:47:02 -0700
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1263.000; Fri, 19 May 2017 22:47:02 -0400
From: "Salz, Rich" 
To: Scott Kitterman , "dcrup@ietf.org" 
Thread-Topic: Cal to adopt draft-kitterman-dcrup-dkim-usage
Thread-Index: AdLRE0CFcQmdDjYtRdaBtQ/N4d9Z6w==
Date: Sat, 20 May 2017 02:47:02 +0000
Message-ID: <25a5579ea1984fdda0e340b74737b723@usma1ex-dag1mb1.msg.corp.akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.41.129]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-05-20_01:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705200013
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-05-20_01:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705200013
Archived-At: 
Subject: [Dcrup] Cal to adopt draft-kitterman-dcrup-dkim-usage
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sat, 20 May 2017 02:47:07 -0000

> https://datatracker.ietf.org/doc/draft-kitterman-dcrup-dkim-usage/

We had some discussion, mostly me and Scott admittedly.

What do folks thing of the WG adopting this?

Please reply by next Friday.

=20


From nobody Sat May 20 08:04:18 2017
Return-Path: 
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1CF412741D for ; Sat, 20 May 2017 08:04:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.58
X-Spam-Level: *
X-Spam-Status: No, score=1.58 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eo2A7fbdZ-PO for ; Sat, 20 May 2017 08:04:15 -0700 (PDT)
Received: from miucha.iecc.com (www.iecc.com [IPv6:2001:470:1f07:1126::4945:4343]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A95CE12700F for ; Sat, 20 May 2017 08:04:15 -0700 (PDT)
Received: (qmail 47880 invoked from network); 20 May 2017 15:04:14 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 20 May 2017 15:04:14 -0000
Date: 20 May 2017 15:03:52 -0000
Message-ID: <20170520150352.10469.qmail@ary.lan>
From: "John Levine" 
To: dcrup@ietf.org
Cc: rsalz@akamai.com
In-Reply-To: <25a5579ea1984fdda0e340b74737b723@usma1ex-dag1mb1.msg.corp.akamai.com>
Organization: 
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: 
Subject: Re: [Dcrup] Cal to adopt draft-kitterman-dcrup-dkim-usage
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sat, 20 May 2017 15:04:17 -0000

In article <25a5579ea1984fdda0e340b74737b723@usma1ex-dag1mb1.msg.corp.akamai.com> you write:
>> https://datatracker.ietf.org/doc/draft-kitterman-dcrup-dkim-usage/
>
>We had some discussion, mostly me and Scott admittedly.
>
>What do folks thing of the WG adopting this?

Sure, throw it into the hopper.

Also please don't forget Scott Rose's draft about crypto algorithms.

R's,
John


From nobody Sat May 20 15:39:05 2017
Return-Path: 
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C88BB12943E for ; Sat, 20 May 2017 15:39:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J7JGNIde3cxc for ; Sat, 20 May 2017 15:39:02 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C43C1200F1 for ; Sat, 20 May 2017 15:39:02 -0700 (PDT)
Received: from pps.filterd (m0050095.ppops.net [127.0.0.1]) by m0050095.ppops.net-00190b01. (8.16.0.21/8.16.0.21) with SMTP id v4KMbsNR021839 for ; Sat, 20 May 2017 23:39:00 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : content-type : mime-version; s=jan2016.eng; bh=i8Qi6Jj3GMfY5cJywjJ8sZEyd94ru9wKIdMVBdagHDw=; b=CZjvR3LefFuwiDGXkiuYZOfSNCc1qL/aMLxLU1LuBavdYa9w9F+Z7ysFacHSsBM8Xb9n NvDa8z65J7GP9w4stQuJsPDr+hP1R0RJ8egrZ/GD1OufkLgR5igR7AvlLGxHCTlDEAOw NjuzlcWHpk+GUJrd4KT9e6eTuEPkYaRBj8+RW3eHH5e3XOoOGDK1qPEz1YXz0boCaBY+ j/AvL3ojtXdiso1qRPu1YY2hwLyfxQo+MJFIAO/PXiTUPuBGfD2tvxdww3AF0+R/EhtN GEYieoQWG+o28dIGuAP2RORlLSx1Mne05Jvbu04qLecJM4bwapZaAX9+xmW1Xxjy7sFe ag== 
Received: from prod-mail-ppoint2 (a184-51-33-19.deploy.static.akamaitechnologies.com [184.51.33.19] (may be forged)) by m0050095.ppops.net-00190b01. with ESMTP id 2ajdb3v147-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Sat, 20 May 2017 23:39:00 +0100
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.17/8.16.0.17) with SMTP id v4KMaP6Y031408 for ; Sat, 20 May 2017 18:38:59 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.34]) by prod-mail-ppoint2.akamai.com with ESMTP id 2ajh4uhj2f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Sat, 20 May 2017 18:38:59 -0400
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com (172.27.123.105) by usma1ex-dag1mb4.msg.corp.akamai.com (172.27.123.104) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Sat, 20 May 2017 18:38:58 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb5.msg.corp.akamai.com (172.27.123.105) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Sat, 20 May 2017 18:38:58 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1263.000; Sat, 20 May 2017 18:38:58 -0400
From: "Salz, Rich" 
To: "dcrup@ietf.org" 
Thread-Topic: WG call for adoption https://tools.ietf.org/html/draft-srose-dkim-ecc-00
Thread-Index: AdLRubnBm46oq6OfQhmUcCzwJD/J+w==
Date: Sat, 20 May 2017 22:38:57 +0000
Message-ID: <4062d8f0cafd4fd295a79c81310a086f@usma1ex-dag1mb1.msg.corp.akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.41.71]
Content-Type: multipart/alternative; boundary="_000_4062d8f0cafd4fd295a79c81310a086fusma1exdag1mb1msgcorpak_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-05-20_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705200123
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-05-20_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705200123
Archived-At: 
Subject: [Dcrup] WG call for adoption https://tools.ietf.org/html/draft-srose-dkim-ecc-00
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sat, 20 May 2017 22:39:04 -0000

--_000_4062d8f0cafd4fd295a79c81310a086fusma1exdag1mb1msgcorpak_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

This was brought up when the WG was just created and I wanted to wait a bit=
.  Thanks to JohnL for nudging me.

Should the WG adopt https://tools.ietf.org/html/draft-srose-dkim-ecc-00  ? =
 Please respond by next Friday.



--
Senior Architect, Akamai Technologies
Member, OpenSSL Dev Team
IM: richsalz@jabber.at Twitter: RichSalz


--_000_4062d8f0cafd4fd295a79c81310a086fusma1exdag1mb1msgcorpak_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable











This was brought up when the WG was just created and=
 I wanted to wait a bit.  Thanks to JohnL for nudging me.

 


Should the WG adopt 
https://tools.ietf.org/html/draft-srose-dkim-ecc-00  ?  Pleas=
e respond by next Friday.


 


 


 


--  


Senior Architect, Akamai Technologies


Member, OpenSSL Dev Team


IM: richsalz@jabber.at Twitter: RichSalz<=
/p>

 






--_000_4062d8f0cafd4fd295a79c81310a086fusma1exdag1mb1msgcorpak_--


From nobody Sat May 20 15:47:27 2017
Return-Path: 
X-Original-To: dcrup@ietf.org
Delivered-To: dcrup@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 55CC71271DF; Sat, 20 May 2017 15:46:14 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: IETF Meeting Session Request Tool 
To: 
Cc: rsalz@akamai.com, dcrup@ietf.org, dcrup-chairs@ietf.org, aamelnikov@fastmail.fm
X-Test-IDTracker: no
X-IETF-IDTracker: 6.51.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <149532037425.27383.9131165873985143035.idtracker@ietfa.amsl.com>
Date: Sat, 20 May 2017 15:46:14 -0700
Archived-At: 
X-Mailman-Approved-At: Sat, 20 May 2017 15:47:26 -0700
Subject: [Dcrup] dcrup - New Meeting Session Request for IETF 99
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
List-Id: DKIM Crypto Update 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sat, 20 May 2017 22:46:14 -0000

A new meeting session request has just been submitted by Rich Salz, a Chair of the dcrup working group.


---------------------------------------------------------
Working Group Name: DKIM Crypto Update
Area Name: Applications and Real-Time Area
Session Requester: Rich Salz

Number of Sessions: 1
Length of Session(s):  30 Minutes
Number of Attendees: 20
Conflicts to Avoid: 
 First Priority: lamps cfrg




People who must be present:
  Rich Salz
  Alexey Melnikov
  Murray Kucherawy

Resources Requested:

Special Requests:
  
---------------------------------------------------------


From nobody Sun May 21 11:53:42 2017
Return-Path: 
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A3E4126557 for ; Sun, 21 May 2017 11:53:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.698
X-Spam-Level: 
X-Spam-Status: No, score=0.698 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andreasschulze.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4M0eLZVoQ207 for ; Sun, 21 May 2017 11:53:39 -0700 (PDT)
Received: from mail.somaf.de (mail.somaf.de [IPv6:2001:a60:f0b4:e503:2cdb:beff:feaa:880b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 518B8126B71 for ; Sun, 21 May 2017 11:53:38 -0700 (PDT)
Received: from [IPv6:2001:a60:f0b4:172:551f:780e:b303:3851] (unknown [IPv6:2001:a60:f0b4:172:551f:780e:b303:3851]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: sca@andreasschulze.de) by mail.somaf.de (Postfix) with ESMTPSA id 3wW9t56y1ZzDfm for ; Sun, 21 May 2017 20:53:33 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=andreasschulze.de; s=ybz; t=1495392814; bh=Uyou7D6AOdkR5oFhDZNjo/U6EfAVRDxW7mYMNzd/lp8=; h=Subject:To:References:From:Date:In-Reply-To; b=YKYjCbeP+ylLh0oHFKr1i7HxNUZOKwDNodTDlOBZsXkTSqKVUd2qnEXRPYKIrul3m FJe0z1eIWzZKwKLXksEWmBhTG3V2qimjreGFZY6bIlIz3IetApuIb0poqqaNZLs5dv sJEfVvAp/qj99sqMLaRvtvrWdw2IGLY0gZUlmCh5fcCdg979Oqj07CTik5UGMH9t1P Aa5qcsUFgkwW8ITJYwhMAjjx1RwgJlBUddWU7s4N5UnirxFjYyKnd4+aRMGFi/JEhi oG/T1cH4apkcfRwQWcRX8eqoQAVP/sEAApWbPOECBma+Mm4boxXR5lycTS1wNHiPpY mWGiRMM20oOww==
To: dcrup@ietf.org
References: <25a5579ea1984fdda0e340b74737b723@usma1ex-dag1mb1.msg.corp.akamai.com>
From: "A. Schulze" 
Message-ID: <924fdb52-f9c2-492b-6c30-53fb3cc67746@andreasschulze.de>
Date: Sun, 21 May 2017 20:51:25 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.0
MIME-Version: 1.0
In-Reply-To: <25a5579ea1984fdda0e340b74737b723@usma1ex-dag1mb1.msg.corp.akamai.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: 
Subject: Re: [Dcrup] Cal to adopt draft-kitterman-dcrup-dkim-usage
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sun, 21 May 2017 18:53:41 -0000

Am 20.05.2017 um 04:47 schrieb Salz, Rich:
>> https://datatracker.ietf.org/doc/draft-kitterman-dcrup-dkim-usage/

I'm fine with the draft...

Andreas


From nobody Mon May 22 13:39:10 2017
Return-Path: 
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1481312702E for ; Mon, 22 May 2017 13:39:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level: 
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 07QOEAfTDxwQ for ; Mon, 22 May 2017 13:39:07 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF965128792 for ; Mon, 22 May 2017 13:39:07 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id DE94730053F for ; Mon, 22 May 2017 16:39:06 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 6-owdUxK9BP2 for ; Mon, 22 May 2017 16:39:05 -0400 (EDT)
Received: from a860b60074bd.home (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id 9A20C3000FF; Mon, 22 May 2017 16:39:05 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Russ Housley 
In-Reply-To: <25a5579ea1984fdda0e340b74737b723@usma1ex-dag1mb1.msg.corp.akamai.com>
Date: Mon, 22 May 2017 16:39:05 -0400
Cc: "dcrup@ietf.org" 
Content-Transfer-Encoding: quoted-printable
Message-Id: 
References: <25a5579ea1984fdda0e340b74737b723@usma1ex-dag1mb1.msg.corp.akamai.com>
To: Rich Salz 
X-Mailer: Apple Mail (2.3273)
Archived-At: 
Subject: Re: [Dcrup] Cal to adopt draft-kitterman-dcrup-dkim-usage
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 22 May 2017 20:39:09 -0000

This document call for RSA using PKCS#1 v1.5 with SHA-256 and allows =
keys as small as 1024 bits.  Keys this short need to be changed often, =
and the security considerations need to be expanded to explain the =
situation.  It should probably say that long-lived keys need to be at =
least 2048 bits, and the shorter keys need to be change  often.

Russ


> On May 19, 2017, at 10:47 PM, Salz, Rich  wrote:
>=20
>> https://datatracker.ietf.org/doc/draft-kitterman-dcrup-dkim-usage/
>=20
> We had some discussion, mostly me and Scott admittedly.
>=20
> What do folks thing of the WG adopting this?
>=20
> Please reply by next Friday.


From nobody Tue May 23 08:41:54 2017
Return-Path: 
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 674081298BA for ; Tue, 23 May 2017 08:41:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.801
X-Spam-Level: 
X-Spam-Status: No, score=0.801 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LxwD42V_kuMM for ; Tue, 23 May 2017 08:41:50 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 761251294EE for ; Tue, 23 May 2017 08:41:50 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id A2364300562 for ; Tue, 23 May 2017 11:41:49 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id OVy3OmtBplVp for ; Tue, 23 May 2017 11:41:47 -0400 (EDT)
Received: from a860b60074bd.home (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id C6B0730042E; Tue, 23 May 2017 11:41:47 -0400 (EDT)
From: Russ Housley 
Message-Id: 
Content-Type: multipart/alternative; boundary="Apple-Mail=_B62A5E15-12A3-45EF-9569-B2A3A5869157"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Tue, 23 May 2017 11:41:47 -0400
In-Reply-To: <4062d8f0cafd4fd295a79c81310a086f@usma1ex-dag1mb1.msg.corp.akamai.com>
Cc: "dcrup@ietf.org" 
To: Rich Salz 
References: <4062d8f0cafd4fd295a79c81310a086f@usma1ex-dag1mb1.msg.corp.akamai.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: 
Subject: Re: [Dcrup] WG call for adoption https://tools.ietf.org/html/draft-srose-dkim-ecc-00
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 23 May 2017 15:41:52 -0000

--Apple-Mail=_B62A5E15-12A3-45EF-9569-B2A3A5869157
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

A lot more needs to be said to define Ed25519 or Ed448 to be used with =
DKIM.  As they are being used in the CURDLE WG, they do not accept a =
hash value and an input for signing.

I think it is important that the WG define an ECC solution, so I do not =
mind starting with this document, but there is a good bit of work =
needed.

Russ


> On May 20, 2017, at 6:38 PM, Salz, Rich  wrote:
>=20
> This was brought up when the WG was just created and I wanted to wait =
a bit.  Thanks to JohnL for nudging me.
> =20
> Should the WG adopt =
https://tools.ietf.org/html/draft-srose-dkim-ecc-00 =
  ?  Please respond =
by next Friday.
> =20
> =20
> =20
> -- =20
> Senior Architect, Akamai Technologies
> Member, OpenSSL Dev Team
> IM: richsalz@jabber.at  Twitter: RichSalz


--Apple-Mail=_B62A5E15-12A3-45EF-9569-B2A3A5869157
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

A lot more needs to be said to define Ed25519 or Ed448 to be =
used with DKIM.  As they are being used in the CURDLE WG, they do =
not accept a hash value and an input for signing.

I think it is important that the WG =
define an ECC solution, so I do not mind starting with this document, =
but there is a good bit of work needed.

Russ


On =
May 20, 2017, at 6:38 PM, Salz, Rich <rsalz@akamai.com> =
wrote:

This was brought up when the WG was just created and I wanted =
to wait a bit.  Thanks to JohnL for nudging me.
 
Should =
the WG adopt https://tools.ietf.org/html/draft-srose-dkim-ecc-00  =
?  Please respond by next Friday.
 
 
 
--  
Senior =
Architect, Akamai Technologies
Member, OpenSSL Dev Team
IM: richsalz@jabber.at Twitter: RichSalz

=

--Apple-Mail=_B62A5E15-12A3-45EF-9569-B2A3A5869157--


From nobody Tue May 23 10:48:22 2017
Return-Path: 
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E1EB129AB3 for ; Tue, 23 May 2017 10:48:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.801
X-Spam-Level: 
X-Spam-Status: No, score=-2.801 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OXUsn4rmWPgm for ; Tue, 23 May 2017 10:48:17 -0700 (PDT)
Received: from wsget2.nist.gov (wsget2.nist.gov [IPv6:2610:20:6005:13::151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68D05126D05 for ; Tue, 23 May 2017 10:48:15 -0700 (PDT)
Received: from WSGHUB1.xchange.nist.gov (129.6.42.34) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 23 May 2017 13:48:23 -0400
Received: from postmark.nist.gov (129.6.16.94) by mail-g.nist.gov (129.6.42.33) with Microsoft SMTP Server id 14.3.319.2; Tue, 23 May 2017 13:48:01 -0400
Received: from [129.6.140.7] ([129.6.140.7])	by postmark.nist.gov (8.13.8/8.13.1) with ESMTP id v4NHls4p032147	for ; Tue, 23 May 2017 13:47:54 -0400
From: "Rose, Scott" 
To: "dcrup@ietf.org" 
Date: Tue, 23 May 2017 13:47:54 -0400
Message-ID: <9CDA8224-55E9-4748-9173-60D7F0D09CAC@nist.gov>
In-Reply-To: 
References: <4062d8f0cafd4fd295a79c81310a086f@usma1ex-dag1mb1.msg.corp.akamai.com> 
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_MailMate_50DCAB6D-363C-478B-A93C-9B95405CEE07_="
Embedded-HTML: [{"HTML":[661, 3313], "plain":[373, 848], "uuid":"F5C77BA1-64EE-45D6-BDA7-80CA26ABB708"}]
X-Mailer: MailMate (1.9.6r5347)
X-NIST-MailScanner-Information: 
Archived-At: 
Subject: Re: [Dcrup] WG call for adoption https://tools.ietf.org/html/draft-srose-dkim-ecc-00
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 23 May 2017 17:48:20 -0000

--=_MailMate_50DCAB6D-363C-478B-A93C-9B95405CEE07_=
Content-Type: text/plain; format=flowed

I-D author here,
Yes - I agree.  It needs work.  It was my attempt to just have something 
to start the conversation, not knowing the conversation had started 
earlier.

If it is accepted as a WG doc, I will continue to edit it with WG input. 
  I believe it is something that is needed and will go about updating 
it.

Scott

On 23 May 2017, at 11:41, Russ Housley wrote:

> A lot more needs to be said to define Ed25519 or Ed448 to be used with 
> DKIM.  As they are being used in the CURDLE WG, they do not accept a 
> hash value and an input for signing.
>
> I think it is important that the WG define an ECC solution, so I do 
> not mind starting with this document, but there is a good bit of work 
> needed.
>
> Russ
>
>
>> On May 20, 2017, at 6:38 PM, Salz, Rich  wrote:
>>
>> This was brought up when the WG was just created and I wanted to wait 
>> a bit.  Thanks to JohnL for nudging me.
>>
>> Should the WG adopt 
>> https://tools.ietf.org/html/draft-srose-dkim-ecc-00 
>>   ?  Please 
>> respond by next Friday.
>>
>>
>>
>> --
>> Senior Architect, Akamai Technologies
>> Member, OpenSSL Dev Team
>> IM: richsalz@jabber.at  Twitter: RichSalz


> _______________________________________________
> Dcrup mailing list
> Dcrup@ietf.org
> https://www.ietf.org/mailman/listinfo/dcrup


===================================
Scott Rose
NIST ITL
scott.rose@nist.gov
+1-301-975-8439
GV: +1-571-249-3671
===================================

--=_MailMate_50DCAB6D-363C-478B-A93C-9B95405CEE07_=
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable








I-D author here,
Yes - I agree.  It needs work.  It was my attempt to just have something =
to start the conversation, not knowing the conversation had started earli=
er.  


If it is accepted as a WG doc, I will continue to edit it=
 with WG input.  I believe it is something that is needed and will go abo=
ut updating it.


Scott


On 23 May 2017, at 11:41, Russ Housley wrote:




A lot more needs to be said to define Ed25519=
 or Ed448 to be used with DKIM.  As they are being used in the CURDL=
E WG, they do not accept a hash value and an input for signing.

I think it is important that t=
he WG define an ECC solution, so I do not mind starting with this documen=
t, but there is a good bit of work needed.

Russ


On May 20, 2017, at 6:38 PM, Salz=
, Rich <rsalz@akamai.co=
m> wrote:

This was b=
rought up when the WG was just created and I wanted to wait a bit.  =
Thanks to JohnL for nudging me.
 
Should the WG adopt https://tools.=
ietf.org/html/draft-srose-dkim-ecc-00  ?  Please respond by=
 next Friday.
 
 
 =

--  
Senior Architect, Akamai Technologies<=
/div>
Member, OpenSSL Dev Team
IM: richsalz@jabber.at<=
/a> Twitter: RichSalz

<=
/div>




____________________________________________=
___

Dcrup mailing list

Dcrup@ietf.org

https://www.ietf.=
org/mailman/listinfo/dcrup


=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Scott Rose

NIST ITL

scott.rose@nist.gov

+1-301-975-8439

GV: +1-571-249-3671

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D








--=_MailMate_50DCAB6D-363C-478B-A93C-9B95405CEE07_=--


From nobody Thu May 25 02:52:54 2017
Return-Path: 
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D03E9129405 for ; Thu, 25 May 2017 02:52:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.018
X-Spam-Level: 
X-Spam-Status: No, score=-1.018 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_FONT_FACE_BAD=0.981, HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pMjoprMgo7tK for ; Thu, 25 May 2017 02:52:49 -0700 (PDT)
Received: from mail-qt0-x230.google.com (mail-qt0-x230.google.com [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81F8F129415 for ; Thu, 25 May 2017 02:52:49 -0700 (PDT)
Received: by mail-qt0-x230.google.com with SMTP id t26so175966741qtg.0 for ; Thu, 25 May 2017 02:52:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=llR2MOt1Fgsy5CaWRLvL60Azu5dJ4BwkD3O19s3EKmU=; b=BEpRSvtMQL3XOB46fs/R3RaPRTjxBBUnb8voV44qNKEBLcBTgJq8bk2DU228RCLS6t iKcP9m5V87LOMGAYSYyhr1ax2C0WTBKfr+asKF1S4rK39Sjox5alb1/OssUHxK1mbvbe aKMqQkIhvYrDbxoD8+4iHEVR7fwuFrrAqt05Dn5pyE+pGVGjOZAmujDwGY5jUVR3YyEk hE/CMxGryi+wa0MBGZHHEcLJzbXGsVqtuSHu2Q6Ud78mLXHcvl6Ntk7udZLlSBYhYLqR kLU/UBUc1Zl3lsAOwapNzyFz3SFyNtpSQHidzzqh8oQ5bVj6GLqi6Y+ohxkn5DrbPyMr D5kA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=llR2MOt1Fgsy5CaWRLvL60Azu5dJ4BwkD3O19s3EKmU=; b=XTXKodPoDZ6pcxLGvcTg7SIymMiE7oVffP8tMF/cZeQRlbZew5oB/1CX+vtkqAhi3x CBzXSfoEt5CPzpeWSqIS9CsaTGM8wAAPBNQ9Fk2lM5YEHJ+RFS49FVLj6ADUWG7xnx8i vqsQhNLIs9sK7sNyQUq99a4YgwjBM5RhTR/zw4+M3LdjECpiVnfTEtTN1kLKI5p7fVj5 u+gEb+Jb6H/MkiWIqnq2tyACMaonQ9vthbHOwxAH0ByBjSdBwZmB6+pt6l1kIKLqocL1 0EFtOfdrk+S/JtLxEi+PBrPWMC4cxwj0GZ8UUDcLBZA3ciUnCsJTjUvyQ5r0yz2rzdsi gbrA==
X-Gm-Message-State: AODbwcBOfZEkmDqgkVie0Mhc68ZapRIYidf6Avx7wT6ZwQZPOdynLkXM MLpS3QE6ahMFcxRPCj/2pejXPhkXZHo+
X-Received: by 10.200.40.193 with SMTP id j1mr42875275qtj.186.1495705968629; Thu, 25 May 2017 02:52:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.185.152 with HTTP; Thu, 25 May 2017 02:52:48 -0700 (PDT)
In-Reply-To: <25a5579ea1984fdda0e340b74737b723@usma1ex-dag1mb1.msg.corp.akamai.com>
References: <25a5579ea1984fdda0e340b74737b723@usma1ex-dag1mb1.msg.corp.akamai.com>
From: Peter Goldstein 
Date: Thu, 25 May 2017 02:52:48 -0700
Message-ID: 
To: "Salz, Rich" 
Cc: Scott Kitterman , "dcrup@ietf.org" 
Content-Type: multipart/alternative; boundary="001a11406bf6f314260550562e19"
Archived-At: 
Subject: Re: [Dcrup] Cal to adopt draft-kitterman-dcrup-dkim-usage
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 25 May 2017 09:52:53 -0000

--001a11406bf6f314260550562e19
Content-Type: text/plain; charset="UTF-8"

Looks good.

Best,

Peter

On Fri, May 19, 2017 at 7:47 PM, Salz, Rich  wrote:

> > https://datatracker.ietf.org/doc/draft-kitterman-dcrup-dkim-usage/
>
> We had some discussion, mostly me and Scott admittedly.
>
> What do folks thing of the WG adopting this?
>
> Please reply by next Friday.
>
>
>
> _______________________________________________
> Dcrup mailing list
> Dcrup@ietf.org
> https://www.ietf.org/mailman/listinfo/dcrup
>



-- 


[image: logo for sig file.png]

Bringing Trust to Email

Peter Goldstein | CTO & Co-Founder

peter@valimail.com
+1.415.793.5783

--001a11406bf6f314260550562e19
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


Looks good.

Best,

<=
div>Peter

On Fri, May 19, 2017 at 7:47 PM, Salz, Rich <rsalz@akamai.=
com> wrote:
> https://datatracker.ietf.org/doc/draft-=
kitterman-dcrup-dkim-usage/



We had some discussion, mostly me and Scott admittedly.



What do folks thing of the WG adopting this?



Please reply by next Friday.







_______________________________________________

Dcrup mailing list

Dcrup@ietf.org

https://www.ietf.org/mailman/listinfo/dcrup





-- 
<=
br>
3D"logo
Bringing Trust to Email
Peter Goldstein | CTO &=
; Co-Founder
peter@valimail.com
+1.415.793.5783
=




--001a11406bf6f314260550562e19--


From nobody Tue May 30 17:58:52 2017
Return-Path: 
X-Original-To: dcrup@ietf.org
Delivered-To: dcrup@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 2154C128D8B; Tue, 30 May 2017 17:58:51 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: 
Cc: dcrup@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.52.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <149619233095.19793.14947085917778354002@ietfa.amsl.com>
Date: Tue, 30 May 2017 17:58:51 -0700
Archived-At: 
Subject: [Dcrup] I-D Action: draft-ietf-dcrup-dkim-usage-00.txt
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
List-Id: DKIM Crypto Update 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 31 May 2017 00:58:51 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the DKIM Crypto Update of the IETF.

        Title           : Cryptographic Algorithm and Key Usage to DKIM
        Author          : Scott Kitterman
	Filename        : draft-ietf-dcrup-dkim-usage-00.txt
	Pages           : 5
	Date            : 2017-05-30

Abstract:
   The cryptographic algorithm and key size requirements included when
   DKIM was designed in the last decade are functionally obsolete and in
   need of immediate revision.  This document updates DKIM requirements
   to those minimaly suitable for operation with currently specified
   algorithms.  This document updates RFC 6376.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-dcrup-dkim-usage/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-dcrup-dkim-usage-00
https://datatracker.ietf.org/doc/html/draft-ietf-dcrup-dkim-usage-00


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/