From nobody Thu Oct 19 00:39:06 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75DCC134618 for ; Thu, 19 Oct 2017 00:39:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qAea6sadIUoe for ; Thu, 19 Oct 2017 00:38:58 -0700 (PDT) Received: from mail-qk0-x22e.google.com (mail-qk0-x22e.google.com [IPv6:2607:f8b0:400d:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B245B1345EC for ; Thu, 19 Oct 2017 00:35:33 -0700 (PDT) Received: by mail-qk0-x22e.google.com with SMTP id n5so9250755qke.11 for ; Thu, 19 Oct 2017 00:35:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=RvZjRMFV5dU2vYyGzmZbf8nzjed1VjGOqGNxx5YDHeA=; b=oKoZ1QSZbdBordNCIxQbakXNdQv8AKhMTcBWNYw1NxEVaRzghxlZ6jf7SEScmmolT9 XDZf5+q6LL8KLQ/8mdfPTzQoeGd7zc6LssxxvVCv6c3CaKP1yK8nihEt83+cX5nvqj6a fMberOX9jNO2B9gTXADLwVlMwNjOkRY4Odh9NX61+YTKT7qin8suFkB/ACRTUDL1ZZxT cll07EzykLZkYJRM8d8EaaF7ALMOEQfGoEdg4i9uifG40J3qGb3TrrKKTPMiaVzY/wLv qAS9FeKLA/e+zDhurELU2g+86/A+VOjercQyzizho7q2QC7TGiMW3mQCVdY1Zgq/Hogs S7uw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=RvZjRMFV5dU2vYyGzmZbf8nzjed1VjGOqGNxx5YDHeA=; b=Z0Upkl+KfMazycMKP9g1F6LvGJobz3qYjb5CidKS5oTQc+8fibv7Gz2rK35nbE2AYh TOh5PrgO+VWIAmShZZXZIYj2b3N41blO7ifVYo/NXls56e8P0UXZfwmzfVLLO0wy4MJA zAcNlrNh1OJk/pb8qPJAN9ivQ1DrN3DGWzI3mMiMuCQDMPgR2l5ucZ7GPybLqc2usm12 zHFIzRej/yfujJDuc3DO3kZ5OEZA7tYcXPO0st5Tp7uDMsJtjrY1IVrZbeOezTBZLQnY 5zyYBmsC48nqf2r/mC3nhB6xxoqptR/vSbP76XPwpvW3LbLzTgUljI8uigoq7idY8gca 4VXQ== X-Gm-Message-State: AMCzsaXdIEG9FWcZdw5hSP4ZqiPx5THFaAUc3CYnvT67LGbE3s2uvPDS WrCfv+1uUAePLuvcgD0jte0+S60Alkzg38PQvic/Kg== X-Google-Smtp-Source: ABhQp+R2T8SYY3BckweGi7QtRQ1VlfLBdZoszVW8Hze5KTXiKCoXjSFUccLeGojIkjIjq4k6YFYaoBKS+W53K5hOjCI= X-Received: by 10.55.95.67 with SMTP id t64mr783125qkb.249.1508398532335; Thu, 19 Oct 2017 00:35:32 -0700 (PDT) MIME-Version: 1.0 Received: by 10.200.40.115 with HTTP; Thu, 19 Oct 2017 00:35:31 -0700 (PDT) In-Reply-To: <150656461384.13748.13197533071257342162.idtracker@ietfa.amsl.com> References: <150656461384.13748.13197533071257342162.idtracker@ietfa.amsl.com> From: "Murray S. Kucherawy" Date: Thu, 19 Oct 2017 00:35:31 -0700 Message-ID: To: dcrup@ietf.org Content-Type: multipart/alternative; boundary="94eb2c0546c0b31fcf055be16691" Archived-At: Subject: Re: [Dcrup] Ben Campbell's Yes on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Oct 2017 07:39:05 -0000 --94eb2c0546c0b31fcf055be16691 Content-Type: text/plain; charset="UTF-8" Reducing distribution since this has been approved, but just to close the issues raised by the IESG Review: On Wed, Sep 27, 2017 at 7:10 PM, Ben Campbell wrote: > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > -4: "Verifiers MUST verify using rsa-sha256." > > Should this say "...MUST be able to..."? That is, am I correct in assuming > that > a verifier will use the scheme specified by the signer if it is capable of > doing so, and that it doesn't make sense to try to verify with rsa-sha256 > if > the signer used something else? > I see Ben's point, and "MUST be able to..." sounds reasonable to me. I think this also addresses Jari's GEN-ART point (to which Mirja alluded), and his "MUST implement" suggestion also seems reasonable to me. What does the WG prefer? -MSK --94eb2c0546c0b31fcf055be16691 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Reducing distribution since this has been approved, but ju= st to close the issues raised by the IESG Review:

On Wed, Sep 27, 2017 at 7:10 PM, B= en Campbell <ben@nostrum.com> wrote:

-----------------------------------------------------------------= -----
COMMENT:
-----------------------------------------------------------------= -----

-4: "Verifiers MUST verify using rsa-sha256."

Should this say "...MUST be able to..."? That is, am I correct in= assuming that
a verifier will use the scheme specified by the signer if it is capable of<= br> doing so, and that it doesn't make sense to try to verify with rsa-sha2= 56 if
the signer used something else?

I see B= en's point, and "MUST be able to..." sounds reasonable to me.= =C2=A0 I think this also addresses Jari's GEN-ART point (to which Mirja= alluded), and his "MUST implement" suggestion also seems reasona= ble to me.

What does the WG prefer?
=
-MSK
--94eb2c0546c0b31fcf055be16691-- From nobody Thu Oct 19 00:40:12 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97C8A1344BC for ; Thu, 19 Oct 2017 00:40:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kj_jqVhQ0q4Y for ; Thu, 19 Oct 2017 00:40:09 -0700 (PDT) Received: from mail-qk0-x22e.google.com (mail-qk0-x22e.google.com [IPv6:2607:f8b0:400d:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF3BF134573 for ; Thu, 19 Oct 2017 00:37:17 -0700 (PDT) Received: by mail-qk0-x22e.google.com with SMTP id m189so9264586qke.4 for ; Thu, 19 Oct 2017 00:37:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=kfc3VvMx5+JFYq+erDZul9iDriMOV80BI6vmQs/Ge7U=; b=mLu3/icmt0gWt6YnGC87POkCrVy082lpbXJzkMGsu2y6Sp0ED1CfoxG27YYprcg8wJ Ani602Cd+tzESHzkNXIIBLKiydF+9cFP5Dz+9X+1a1buL4CoTAbxD+xCgYQu9X/F/4tX Hz71DzSV4XfyQWDOmrLtjxZywpc/4dK0GNdQ3tHy60bkkJCVCUGStBZsXNw93f/xSRCp L+q2CJ1okEb6ufLEcAXK4Q1RUIfJCL4jg29zlOLpcF1hFLoP5XK7IKOkAPvbuS8X8Yoo QvxTRNHKDxtuoonVD8VMGBxHCyemOiQpPaqJhPxYwh63fV7PpJJPY6IK2e2qrlWfn+rv pxSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=kfc3VvMx5+JFYq+erDZul9iDriMOV80BI6vmQs/Ge7U=; b=EU2nYuxo3LEWO/lYYZDor/w84GovtLHKUfzPgG1vBuZci1OrEJlmeJ2gx3CiweI9lF 6pnbz8NYakI6Ty1ESjINQJZZrpCEo71CXNc8d4sCh8TdeivJtDl0LSImrzErBMIET6Tx 0ENXpqTR6kzSkDW/5+IFxA257iNnwcT3149MfF1kn2D1rc7x53DEXSpve2My04+wOgwN oG5Vwq7P8h+dJ+VzcV8QptCYG2iHTI5VOyhmv92e3FOYP1jzo24VlOWASa5z2PkcpLw1 wwZbxJwAkpbI8jJhRgR54SYgZgzbRyOrufRGym5UdBIqg6N8xecgqwJckUjwbeW+RvWn TScg== X-Gm-Message-State: AMCzsaXNXk4YqS0POUvMvgsado2eVQ9t3c0LRxM4osVnsxjkgP1gvwPJ uXSfS7NK72WJReQtdoXjjgMhJKNKoS5cosZMqanEnYld X-Google-Smtp-Source: ABhQp+TIXpJhAwiY1Jn465232WsC+GGtP/VfAOjaGxTz/0807uejV6ccLltAnL3jVyWXxTDMrjBIJawKnJREe7bfu+k= X-Received: by 10.55.108.135 with SMTP id h129mr802789qkc.111.1508398636699; Thu, 19 Oct 2017 00:37:16 -0700 (PDT) MIME-Version: 1.0 Received: by 10.200.40.115 with HTTP; Thu, 19 Oct 2017 00:37:16 -0700 (PDT) In-Reply-To: <150649085207.24995.1867894975380491185.idtracker@ietfa.amsl.com> References: <150649085207.24995.1867894975380491185.idtracker@ietfa.amsl.com> From: "Murray S. Kucherawy" Date: Thu, 19 Oct 2017 00:37:16 -0700 Message-ID: To: dcrup@ietf.org Content-Type: multipart/alternative; boundary="001a1148809aeb9906055be16c2a" Archived-At: Subject: Re: [Dcrup] Adam Roach's No Objection on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Oct 2017 07:40:12 -0000 --001a1148809aeb9906055be16c2a Content-Type: text/plain; charset="UTF-8" Reducing distribution since this has been approved, but just to close the issues raised by the IESG Review: On Tue, Sep 26, 2017 at 10:40 PM, Adam Roach wrote: > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > I would have expected section 4 to be explicit in the interaction between > the > requirement that "rsa-sha1 MUST NOT be used for signing or verifying" and > the > Authentication-Results header defined in RFC 7001. In particular, I would > have > expected to see guidance here whether receipt of a message using sha1 > should be > coded as "neutral" or "policy": as an implementor, I would be unsure which > one > to use. I think this is worth considering. What guidance (if any) should we provide to a verifier that receives an "rsa-sha1" signature in terms of how to record it in an A-R field? One could make an argument for either of the two proposed results. -MSK --001a1148809aeb9906055be16c2a Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Reducing distribution since this has been approved, but ju= st to close the issues raised by the IESG Review:

On Tue, Sep 26, 2017 at 10:40 PM, Adam Roac= h <adam@nostrum.com> wrote:

-----------------------------------------------------------------= -----
COMMENT:
-----------------------------------------------------------------= -----

I would have expected section 4 to be explicit in the interaction between t= he
requirement that "rsa-sha1 MUST NOT be used for signing or verifying&q= uot; and the
Authentication-Results header defined in RFC 7001. In particular, I would h= ave
expected to see guidance here whether receipt of a message using sha1 shoul= d be
coded as "neutral" or "policy": as an implementor, I wo= uld be unsure which one
to use.

I think this is worth considering.= =C2=A0 What guidance (if any) should we provide to a verifier that receives= an "rsa-sha1" signature in terms of how to record it in an A-R f= ield?=C2=A0 One could make an argument for either of the two proposed resul= ts.

-MSK
--001a1148809aeb9906055be16c2a-- From nobody Thu Oct 19 01:40:22 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BBFD13478F for ; Thu, 19 Oct 2017 01:40:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tKukrd5qHzwW for ; Thu, 19 Oct 2017 01:40:20 -0700 (PDT) Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E603A1320D8 for ; Thu, 19 Oct 2017 01:40:19 -0700 (PDT) Received: by mail-oi0-x235.google.com with SMTP id m198so13284615oig.5 for ; Thu, 19 Oct 2017 01:40:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=+LLIuMqMMO0QzVwY6BsDcGgPj1BvTa0IA9+/AAQHPP8=; b=g6NtNiqIeyGlHxS5N9sxjbMQV3Iuqbs1qwgjZebs1spEtGk6ybaH8lYub4ka6ZG5Zc vOSQMfBM4dgHatgCAzxR0ocTe2zy66Fzydt3ySb1j5i0ETb6SduQn3vWwsO400mmYAd9 ZEyRKVoN6/U74/3e+3qQsO7cgOUi1GTxDRvzWsfDa+zEbe67OAbmiyPOmziHKOax0iui /d0WGswmWtmvV5x7NYuXahoLjVqsUX+/J1fy+j6MFRTxe4F3kLSzMRNWpvM/e+mLHTyA b2nSiwlcYzHeNv344L5t7bz/Y6h3ezcp687cQhgXAn/81Lf5xSEnN/IfhokUsv1dfsYC NuwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=+LLIuMqMMO0QzVwY6BsDcGgPj1BvTa0IA9+/AAQHPP8=; b=VJWa7whVyZfyiQlJ+inj+c6sqsQiQk1lSOPfWsgyL7paGidr4F5M4td0BbNQ+q33Wp EdBnEswHQEgBSueN12FfMfQR8VVlGcny/lcKPd0b8Z3cZFGEkUyvuLpj9W7TGneghNYi JeI1EyI9CJ6jLfcKveBvj26b1w3CkB1G8fyPR7atK/9VrODrrJxOqfvbKUyUhtMELV3j BjG2fOwIZBVNhxnRT8Hr0Co0dkUw0b0pb7lvgTeA4qKfs8GFeCM4xGsbp9/HKYmc5rgd MluOhFigUN85wKuT5X6M/O09TlKCfTmZa9PNiJH9V4SpMXeHV17hAXh6c8O/rCIjSWIS MMsQ== X-Gm-Message-State: AMCzsaXq3XyhWK2/SUuHx85WEwrCXzcHdBEVR3bC/AzhGgDe2M3OM4UW C31ZdcCFsa2ajS1K0W16hsiuJ7XbVDcNNXrSEHM= X-Google-Smtp-Source: ABhQp+RnG6TANKUqCavjINLgg7tvK0TQ/vGhOvDAdg8cNa2+jbK78eLFgMU/DMkilWY+xe+IKvwYsOABFCp0oYm4uhs= X-Received: by 10.157.51.146 with SMTP id u18mr410449otc.98.1508402419277; Thu, 19 Oct 2017 01:40:19 -0700 (PDT) MIME-Version: 1.0 Received: by 10.157.72.178 with HTTP; Thu, 19 Oct 2017 01:40:18 -0700 (PDT) In-Reply-To: References: <150656461384.13748.13197533071257342162.idtracker@ietfa.amsl.com> From: Martin Thomson Date: Thu, 19 Oct 2017 19:40:18 +1100 Message-ID: To: "Murray S. Kucherawy" Cc: dcrup@ietf.org Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [Dcrup] Ben Campbell's Yes on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Oct 2017 08:40:21 -0000 On Thu, Oct 19, 2017 at 6:35 PM, Murray S. Kucherawy wrote: >> -4: "Verifiers MUST verify using rsa-sha256." >> >> Should this say "...MUST be able to..."? That is, am I correct in assuming >> that >> a verifier will use the scheme specified by the signer if it is capable of >> doing so, and that it doesn't make sense to try to verify with rsa-sha256 >> if >> the signer used something else? > > > I see Ben's point, and "MUST be able to..." sounds reasonable to me. I > think this also addresses Jari's GEN-ART point (to which Mirja alluded), and > his "MUST implement" suggestion also seems reasonable to me. > > What does the WG prefer? I saw the original requirement as stipulating a policy requirement in addition to an implementation requirement. That is, verifiers need to insist on a valid rsa-sha256 signature or the message is considered unverified. From nobody Thu Oct 19 01:47:35 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B08D41347C5 for ; Thu, 19 Oct 2017 01:47:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kLseE4WvzO-5 for ; Thu, 19 Oct 2017 01:47:33 -0700 (PDT) Received: from mail-oi0-x232.google.com (mail-oi0-x232.google.com [IPv6:2607:f8b0:4003:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A38B1347AB for ; Thu, 19 Oct 2017 01:47:32 -0700 (PDT) Received: by mail-oi0-x232.google.com with SMTP id h200so13312666oib.4 for ; Thu, 19 Oct 2017 01:47:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ozXMmQy/EyQe7rD5ogzWkDkyoFpCLof3ETRUzV1ghlQ=; b=IJM06at6P2waikpoamsSfrOAayjjXUXGc6/v4gx/9BxRLOCijrXcHEzqbzgWuBZMzr bdjGCj5DIHKSbu4+yC02mFKx3lGPIu3EX06iYuywRcEnKR4lWQD1TU4/RoA8qhOwar5V rTYJvFHD34l9Zoce4hzuWDJDSe7K30aJA8H7XLelGWhthiblWBvp9DJk0jQmeB+Lqe+V VqJV7KYbxlWdEY3f9AV1CNYz/gVLHtise2EgIVXLL/e4eY6qkaSMpMo5q97eIt0wDmdQ 0vH9iI3oI6mfXROR5W5/fEoQQAnb4XswBa7eveklUYwkVCe3iKxawyzgx81ZZIBEdJbE UYrg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ozXMmQy/EyQe7rD5ogzWkDkyoFpCLof3ETRUzV1ghlQ=; b=D/ow1IBYR7Lx7eV7Oc8VxfAeRPRbL+mNNQ4887t2SGgJwOftaDfvcSHpxwG31G0HJb 6nCQcmb2NkR08VXTgo+PO7ATW/RI4swPad4Qen4Si41RQjNKGwevgjoWLz8MsljbNn7L sdS2maPHjCmUoLNXO/tmI5V9RL84sJWhigUGrgu2guAhuK/zUZ/SicZ8XO0wzcIJi+GJ OpxJ6y+OV89D5+/NdMggpwC7pd5xR/gPoMirTwb8CkARKGjCm5jfJKvq3FVVUHEKY2OE Vr2qpQsiC/Z+KQRCpi90JEQVPlRf/4lSb8JLmroUy1313FYfkMu4pRcH8K19wOdh1q7k /0OA== X-Gm-Message-State: AMCzsaUlTBNggi4Cu4JYIsRrRVmCsz67t+k9wcrqFZNquWBLu+0tU8+b EtP4WFH7rZhdfQmxpu+ddNSN0Q3eKZ3G8GpFDCw= X-Google-Smtp-Source: ABhQp+Qg1rKWLVSAVoaLyQk+YmSbJEzDKRejQFVsUc36CZCJqJt8kwyoXSw23bYq6Fb00KUY+4MzNrjsbeIMJdAFT1k= X-Received: by 10.202.75.140 with SMTP id y134mr361886oia.3.1508402851350; Thu, 19 Oct 2017 01:47:31 -0700 (PDT) MIME-Version: 1.0 Received: by 10.157.72.178 with HTTP; Thu, 19 Oct 2017 01:47:30 -0700 (PDT) In-Reply-To: References: <150649085207.24995.1867894975380491185.idtracker@ietfa.amsl.com> From: Martin Thomson Date: Thu, 19 Oct 2017 19:47:30 +1100 Message-ID: To: "Murray S. Kucherawy" Cc: dcrup@ietf.org Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [Dcrup] Adam Roach's No Objection on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Oct 2017 08:47:35 -0000 On Thu, Oct 19, 2017 at 6:37 PM, Murray S. Kucherawy wrote: >> I would have expected section 4 to be explicit in the interaction between >> the >> requirement that "rsa-sha1 MUST NOT be used for signing or verifying" and >> the >> Authentication-Results header defined in RFC 7001. In particular, I would >> have >> expected to see guidance here whether receipt of a message using sha1 >> should be >> coded as "neutral" or "policy": as an implementor, I would be unsure which >> one >> to use. > > > I think this is worth considering. What guidance (if any) should we provide > to a verifier that receives an "rsa-sha1" signature in terms of how to > record it in an A-R field? One could make an argument for either of the two > proposed results. I would agree, it's worth putting some text in even. Perhaps you could simply state: "A valid "rsa-sha1" signature provides only a weak signal about the origin of a message and it SHOULD NOT be used as a signal that a message is authentic. However, until stronger signature methods are widely available, a signature using "rsa-sha1" MAY be used to distinguish messages from those that have no or invalid signatures." You might also say, "Receipt of a message with only an "rsa-sha1" signature from a domain that has previously used stronger signatures might be treated as suspicious." But that's getting into crazy-land. From nobody Thu Oct 19 03:51:42 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27BCA132949 for ; Thu, 19 Oct 2017 03:51:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.791 X-Spam-Level: X-Spam-Status: No, score=-1.791 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=kitterman.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IZUm6xwo0f43 for ; Thu, 19 Oct 2017 03:51:39 -0700 (PDT) Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 068A4133207 for ; Thu, 19 Oct 2017 03:51:39 -0700 (PDT) Received: from [192.168.1.115] (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id A8144C401EB; Thu, 19 Oct 2017 05:51:37 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=2001409; t=1508410297; bh=TLNkZfoVJIwXeya8RSn+XcwChj5TNlFBkR/5w8CE5JM=; h=Date:In-Reply-To:References:Subject:To:From:From; b=i4OsV3+LghtNamwm4jkVEC3wVgxi+LHjEIf3qY8t5TIlT8z2p+JRkCYXvIghtEKYa zWQVosy3uvr6EBT+YgVnAcRZi9OUSnk4UyRJCi8VaCOoL4A9DsQ0rZOFiGWiYzFksf UJQix/HlHxT58K1F+tz6ccegMmwauCQYPX9X08yM= Date: Thu, 19 Oct 2017 10:49:26 +0000 In-Reply-To: References: <150656461384.13748.13197533071257342162.idtracker@ietfa.amsl.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable To: dcrup@ietf.org From: Scott Kitterman Message-ID: <9FA77DE4-96BA-48E1-83C1-7E8A7628C34E@kitterman.com> Archived-At: Subject: Re: [Dcrup] Ben Campbell's Yes on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Oct 2017 10:51:41 -0000 On October 19, 2017 4:40:18 AM EDT, Martin Thomson wrote: >On Thu, Oct 19, 2017 at 6:35 PM, Murray S=2E Kucherawy > wrote: >>> -4: "Verifiers MUST verify using rsa-sha256=2E" >>> >>> Should this say "=2E=2E=2EMUST be able to=2E=2E=2E"? That is, am I cor= rect in >assuming >>> that >>> a verifier will use the scheme specified by the signer if it is >capable of >>> doing so, and that it doesn't make sense to try to verify with >rsa-sha256 >>> if >>> the signer used something else? >> >> >> I see Ben's point, and "MUST be able to=2E=2E=2E" sounds reasonable to = me=2E=20 >I >> think this also addresses Jari's GEN-ART point (to which Mirja >alluded), and >> his "MUST implement" suggestion also seems reasonable to me=2E >> >> What does the WG prefer? > >I saw the original requirement as stipulating a policy requirement in >addition to an implementation requirement=2E That is, verifiers need to >insist on a valid rsa-sha256 signature or the message is considered >unverified=2E That's what I was trying to communicate when I wrote it that way=2E Scott K From nobody Thu Oct 19 03:56:10 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38F2B133224 for ; Thu, 19 Oct 2017 03:56:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.791 X-Spam-Level: X-Spam-Status: No, score=-1.791 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=kitterman.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hEbMiqTdxiFU for ; Thu, 19 Oct 2017 03:56:07 -0700 (PDT) Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BCAC1326FE for ; Thu, 19 Oct 2017 03:56:07 -0700 (PDT) Received: from [192.168.1.115] (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id A06D3C401EB; Thu, 19 Oct 2017 05:56:06 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=2001409; t=1508410566; bh=CuwpV3Zxlha4va0+PmDoPVOHH5uBn317G3xPjhoYVyM=; h=Date:In-Reply-To:References:Subject:To:From:From; b=Xpa8C8m87JmC0rZ1jFrjdqzp9u0/14xh1iJP3kGkUUXA2ecLaAEXU/JgK/nZ2sbrJ ivYLG5f5CbXDgRl7pvJOrqPYCzorMth4EWFPhJmuRFqNccMKaDqUOOWBuf3vdsPU4C CnsYsZz5Ubiep1o9gXoDwc+y/WdzMiXK2xUjleMc= Date: Thu, 19 Oct 2017 10:54:46 +0000 In-Reply-To: References: <150649085207.24995.1867894975380491185.idtracker@ietfa.amsl.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable To: dcrup@ietf.org From: Scott Kitterman Message-ID: <2E80204C-37D7-4624-BD23-573C386D7899@kitterman.com> Archived-At: Subject: Re: [Dcrup] Adam Roach's No Objection on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Oct 2017 10:56:08 -0000 On October 19, 2017 4:47:30 AM EDT, Martin Thomson wrote: >On Thu, Oct 19, 2017 at 6:37 PM, Murray S=2E Kucherawy > wrote: >>> I would have expected section 4 to be explicit in the interaction >between >>> the >>> requirement that "rsa-sha1 MUST NOT be used for signing or >verifying" and >>> the >>> Authentication-Results header defined in RFC 7001=2E In particular, I >would >>> have >>> expected to see guidance here whether receipt of a message using >sha1 >>> should be >>> coded as "neutral" or "policy": as an implementor, I would be unsure >which >>> one >>> to use=2E >> >> >> I think this is worth considering=2E What guidance (if any) should we >provide >> to a verifier that receives an "rsa-sha1" signature in terms of how >to >> record it in an A-R field? One could make an argument for either of >the two >> proposed results=2E > >I would agree, it's worth putting some text in even=2E Perhaps you >could simply state: "A valid "rsa-sha1" signature provides only a >weak signal about the origin of a message and it SHOULD NOT be used as >a signal that a message is authentic=2E However, until stronger >signature methods are widely available, a signature using "rsa-sha1" >MAY be used to distinguish messages from those that have no or invalid >signatures=2E" > >You might also say, "Receipt of a message with only an "rsa-sha1" >signature from a domain that has previously used stronger signatures >might be treated as suspicious=2E" But that's getting into crazy-land=2E My assumption had been that since there's no valid signature with rsa-sha1= , there's nothing to even consider putting in an A-R header field=2E I think the only result that can go in this case is None=2E I hadn't thou= ght we'd need to say that, but I guess maybe we do=2E Scott K From nobody Thu Oct 19 05:00:03 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 827E113339D for ; Thu, 19 Oct 2017 05:00:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Df1GiJ0MeUiM for ; Thu, 19 Oct 2017 05:00:00 -0700 (PDT) Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51FB613337F for ; Thu, 19 Oct 2017 04:59:59 -0700 (PDT) Received: from pps.filterd (m0122330.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id v9JBxJtb015367; Thu, 19 Oct 2017 12:59:55 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=tECOgqoGn3zNcEAlgZgZ1fCwRIYg3+IeTbzESClqGZ0=; b=ezKyDaW8GCtKIkJ2Xc00fDzMtll2JonF28TEQ1Bore0epROjrqay0bT3VVO8Jm6TXfox s1fx//1jJ7ftnAupm4pIUijgciiYOdouRMqAFT0njiGt4xYGr+40F2oKu0p7HGH4uwdd 7aGLSNwvwaIE2R1z4sZjgCF15VJvDNQu5BLdj8iSIGac6RaPM2kFpnpEqHaUpaN+TDqA WvOKACx3lyJPQD+w8mVrlw45tzYO4O+er9ywijesXy3BgMYMZ/Kmc2ofr36NlZDifuuw uB/eVTPkdSAhaRcL80NlK9+Ibrxpf4+y5l+sav5NMWQqStVn126QrOkwXrP+76RL0Pnf Gw== Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19]) by mx0b-00190b01.pphosted.com with ESMTP id 2dngqsxr1n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 19 Oct 2017 12:59:55 +0100 Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.21/8.16.0.21) with SMTP id v9JBuNFM013445; Thu, 19 Oct 2017 07:59:55 -0400 Received: from email.msg.corp.akamai.com ([172.27.123.31]) by prod-mail-ppoint2.akamai.com with ESMTP id 2dkdwuf4sa-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 19 Oct 2017 07:59:55 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb2.msg.corp.akamai.com (172.27.123.102) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Thu, 19 Oct 2017 07:59:54 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1263.000; Thu, 19 Oct 2017 07:59:54 -0400 From: "Salz, Rich" To: "Murray S. Kucherawy" , "dcrup@ietf.org" Thread-Topic: [Dcrup] Ben Campbell's Yes on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) Thread-Index: AQHTSK1dbX6ocppHBkuOab+PbqUyLKLrVT+A Date: Thu, 19 Oct 2017 11:59:53 +0000 Message-ID: References: <150656461384.13748.13197533071257342162.idtracker@ietfa.amsl.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/f.26.0.170902 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.32.65] Content-Type: multipart/alternative; boundary="_000_E4F063E241184131BFB38CAE893D26F5akamaicom_" MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-10-19_05:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1710190164 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-10-19_05:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1710190164 Archived-At: Subject: Re: [Dcrup] Ben Campbell's Yes on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Oct 2017 12:00:02 -0000 --_000_E4F063E241184131BFB38CAE893D26F5akamaicom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 ICAqICAgSSBzZWUgQmVuJ3MgcG9pbnQsIGFuZCAiTVVTVCBiZSBhYmxlIHRvLi4uIiBzb3VuZHMg cmVhc29uYWJsZSB0byBtZQ0KDQpBcyBhbiBpbmRpdmlkdWFsLCBJIGFncmVlLg0K --_000_E4F063E241184131BFB38CAE893D26F5akamaicom_ Content-Type: text/html; charset="utf-8" Content-ID: <41F8F358A134EE47A69FEBE31768DD74@akamai.com> Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iVGl0bGUiIGNvbnRlbnQ9IiI+DQo8bWV0YSBuYW1lPSJLZXl3b3JkcyIgY29udGVu dD0iIj4NCjxtZXRhIG5hbWU9IkdlbmVyYXRvciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUg KGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxlPjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8N CkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3IjsNCglwYW5vc2UtMToyIDcg MyA5IDIgMiA1IDIgNCA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6V2luZ2RpbmdzOw0K CXBhbm9zZS0xOjUgMCAwIDAgMCAwIDAgMCAwIDA7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWls eToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2IDMgMiA0O30NCkBmb250 LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAz IDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1h bCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsN Cglmb250LXNpemU6MTEuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30N CmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNv bG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQphOnZpc2l0ZWQsIHNwYW4u TXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOnB1 cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnAuTXNvTGlzdFBhcmFncmFwaCwg bGkuTXNvTGlzdFBhcmFncmFwaCwgZGl2Lk1zb0xpc3RQYXJhZ3JhcGgNCgl7bXNvLXN0eWxlLXBy aW9yaXR5OjM0Ow0KCW1hcmdpbi10b3A6MGluOw0KCW1hcmdpbi1yaWdodDowaW47DQoJbWFyZ2lu LWJvdHRvbTowaW47DQoJbWFyZ2luLWxlZnQ6LjVpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7 DQoJZm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9 DQpzcGFuLkVtYWlsU3R5bGUxNw0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglm b250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCnNw YW4ubXNvSW5zDQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCW1zby1zdHlsZS1uYW1l OiIiOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7DQoJY29sb3I6dGVhbDt9DQouTXNvQ2hw RGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LXNpemU6MTAuMHB0 O30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4w aW4gMS4waW4gMS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0 aW9uMTt9DQovKiBMaXN0IERlZmluaXRpb25zICovDQpAbGlzdCBsMA0KCXttc28tbGlzdC1pZDoz NzQ0MzM4ODA7DQoJbXNvLWxpc3QtdHlwZTpoeWJyaWQ7DQoJbXNvLWxpc3QtdGVtcGxhdGUtaWRz Oi0xMTgwMjY4NTQ4IDY3Njk4Njk5IDY3Njk4NjkxIDY3Njk4NjkzIDY3Njk4Njg5IDY3Njk4Njkx IDY3Njk4NjkzIDY3Njk4Njg5IDY3Njk4NjkxIDY3Njk4NjkzO30NCkBsaXN0IGwwOmxldmVsMQ0K CXttc28tbGV2ZWwtc3RhcnQtYXQ6MTk7DQoJbXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0 Ow0KCW1zby1sZXZlbC10ZXh0Ou+DmDsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28t bGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQt ZmFtaWx5OldpbmdkaW5nczsNCgltc28tZmFyZWFzdC1mb250LWZhbWlseToiVGltZXMgTmV3IFJv bWFuIjsNCgltc28tYmlkaS1mb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIjt9DQpAbGlzdCBs MDpsZXZlbDINCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10 ZXh0Om87DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3Np dGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseToiQ291cmllciBO ZXciLHNlcmlmO30NCkBsaXN0IGwwOmxldmVsMw0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpi dWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674KnOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0K CW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJ Zm9udC1mYW1pbHk6V2luZ2RpbmdzO30NCkBsaXN0IGwwOmxldmVsNA0KCXttc28tbGV2ZWwtbnVt YmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674K3Ow0KCW1zby1sZXZlbC10YWIt c3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVu dDotLjI1aW47DQoJZm9udC1mYW1pbHk6U3ltYm9sO30NCkBsaXN0IGwwOmxldmVsNQ0KCXttc28t bGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ6bzsNCgltc28tbGV2 ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4 dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyIsc2VyaWY7fQ0KQGxp c3QgbDA6bGV2ZWw2DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2 ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJl ci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseTpXaW5n ZGluZ3M7fQ0KQGxpc3QgbDA6bGV2ZWw3DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxl dDsNCgltc28tbGV2ZWwtdGV4dDrvgrc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNv LWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250 LWZhbWlseTpTeW1ib2w7fQ0KQGxpc3QgbDA6bGV2ZWw4DQoJe21zby1sZXZlbC1udW1iZXItZm9y bWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDpvOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25l Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47 DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3IixzZXJpZjt9DQpAbGlzdCBsMDpsZXZlbDkNCgl7 bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CpzsNCglt c28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7 DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFtaWx5OldpbmdkaW5nczt9DQpvbA0KCXtt YXJnaW4tYm90dG9tOjBpbjt9DQp1bA0KCXttYXJnaW4tYm90dG9tOjBpbjt9DQotLT48L3N0eWxl Pg0KPC9oZWFkPg0KPGJvZHkgYmdjb2xvcj0id2hpdGUiIGxhbmc9IkVOLVVTIiBsaW5rPSJibHVl IiB2bGluaz0icHVycGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8dWwgc3R5bGU9 Im1hcmdpbi10b3A6MGluIiB0eXBlPSJkaXNjIj4NCjxsaSBjbGFzcz0iTXNvTGlzdFBhcmFncmFw aCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjBpbjttc28tbGlzdDpsMCBsZXZlbDEgbGZvMSI+SSBzZWUg QmVuJ3MgcG9pbnQsIGFuZCAmcXVvdDtNVVNUIGJlIGFibGUgdG8uLi4mcXVvdDsgc291bmRzIHJl YXNvbmFibGUgdG8gbWU8bzpwPjwvbzpwPjwvbGk+PC91bD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+QXMgYW4gaW5kaXZp ZHVhbCwgSSBhZ3JlZS48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_E4F063E241184131BFB38CAE893D26F5akamaicom_-- From nobody Thu Oct 19 08:44:12 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D0EC132FB1 for ; Thu, 19 Oct 2017 08:44:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QU11bCo0g0po for ; Thu, 19 Oct 2017 08:44:10 -0700 (PDT) Received: from mail-lf0-x22f.google.com (mail-lf0-x22f.google.com [IPv6:2a00:1450:4010:c07::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAB23132F30 for ; Thu, 19 Oct 2017 08:44:09 -0700 (PDT) Received: by mail-lf0-x22f.google.com with SMTP id d10so10102292lfg.11 for ; Thu, 19 Oct 2017 08:44:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ByCAa8EGhY4bNDHzeEINp+SEun7FFUMKa6SaSEvExRk=; b=Z6KezWrE7xmUsR8DwuoL421vwWTOoaapaPv01vHnZ/KR/YRvpZmxS7PAj3hgqpgLnV jfiagR+B5nso3OscogCARcuOvxwqPYpOz+g6yZOiRwOKMAkiIje6JZEYNime2XL7CLil wWRhAhDkOMsOAbTIXuzjm4DtQ+HCkCBeQfsLc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ByCAa8EGhY4bNDHzeEINp+SEun7FFUMKa6SaSEvExRk=; b=ijz5sIDljObJ+YUAzxb1pRL+UFb7dvquf2yf6lby4Ak77r5HGIxVeXahhtg+yusHFV cuaONw+Z+B8xMxvuL4e6YC2lRnwu8Y3qy6YPYkUnZiVKosGxpR6lCakcUbpxcSc9us4R zlg/4BQA/sgt9eGqx/VtPSqbjNpLWzWIHtxPtGafH13ZPnFTZ0GARX/XCvORNxG/vCBw HIPJ8Y8r/sTdNQrl9sEy1y6W03NDKLEEtmDTjUIrsR9ro2sG+x2psSjBwV73GBxrxd9U q1S/Vwj2tQ6lXhhZ/2J0cn8yPheu5RaW2X3pCp408QveOUqYuFg/C7NJWNyiox4PGulo XcmA== X-Gm-Message-State: AMCzsaXiNvpfEtowv5p9pBQvcJ3Scn5jlufabh3X0erbpiyZ0/f6ELW3 kTBqlbX5PmPH1ed13VMY/muC/8+cTdl+cX0phUAgPA== X-Google-Smtp-Source: ABhQp+TgF1UmFyZm8flrTDAP+E9ADR888JPXJXJygJad0ZxuKRRgCtVyY40KU3tv7sJ004By4z37S3fe4ZfQgnw3tC0= X-Received: by 10.46.15.2 with SMTP id 2mr886944ljp.30.1508427847929; Thu, 19 Oct 2017 08:44:07 -0700 (PDT) MIME-Version: 1.0 Received: by 10.25.158.77 with HTTP; Thu, 19 Oct 2017 08:44:07 -0700 (PDT) In-Reply-To: References: <150656461384.13748.13197533071257342162.idtracker@ietfa.amsl.com> From: Kurt Andersen Date: Thu, 19 Oct 2017 08:44:07 -0700 Message-ID: To: "Murray S. Kucherawy" Cc: dcrup@ietf.org Content-Type: multipart/alternative; boundary="f403043604140bb9b0055be83ab8" Archived-At: Subject: Re: [Dcrup] Ben Campbell's Yes on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Oct 2017 15:44:11 -0000 --f403043604140bb9b0055be83ab8 Content-Type: text/plain; charset="UTF-8" On Thu, Oct 19, 2017 at 12:35 AM, Murray S. Kucherawy wrote: > > I see Ben's point, and "MUST be able to..." sounds reasonable to me. I > think this also addresses Jari's GEN-ART point (to which Mirja alluded), > and his "MUST implement" suggestion also seems reasonable to me. > > What does the WG prefer? > "MUST be able to" seems to capture the intent. --Kurt --f403043604140bb9b0055be83ab8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
"MUST be able to&q= uot; seems to capture the intent.

<= /div>
--Kurt
--f403043604140bb9b0055be83ab8-- From nobody Thu Oct 19 08:46:33 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B31613263F for ; Thu, 19 Oct 2017 08:46:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YX-SHGDe8-8Y for ; Thu, 19 Oct 2017 08:46:30 -0700 (PDT) Received: from mail-lf0-x229.google.com (mail-lf0-x229.google.com [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79FAC13219B for ; Thu, 19 Oct 2017 08:46:30 -0700 (PDT) Received: by mail-lf0-x229.google.com with SMTP id a132so10109745lfa.7 for ; Thu, 19 Oct 2017 08:46:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=jfDgf3rNQqzB7nBSOuxcUctiUfF5yoSZ/SHnNX9O+Bc=; b=B3q3QwZitXxAqHaylFGw+oV+U6L+CQvojfLiJMRW5bZs92Q8Mmb+ENA44qnm8Jte7I xZKZWLLYHzPoyptUF1T5/8LQDOlEEzqmpSAfhmLFGJnlWOMq83UUP3ltpHn45K7lWlAz TTteRdelKwKs2brWPPPngwRo2zVc7Rjbqty3Y= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=jfDgf3rNQqzB7nBSOuxcUctiUfF5yoSZ/SHnNX9O+Bc=; b=PzERxGf9QbabsasU5HE4NZQ2XikrBWKxoNI6chXISBfh2dYhofh3qSBvocSJSCz6h8 bDPOWmPC1FtJgboV3AcJ7v8rPgMgdywbJsZAOGclksU+KHM3ThXsNZWW6jf5kRfoAOXn foI1WvtSS+mFF4NZDcuayd14DVQem0+eNqRR8QTl+reP5ySXBGw0xxwD26h+Bvpo2hOT 0rBFZ+ve8aJz1IK15gxpNzDJF9STTlAiF3fsmhj9ChxzI6tLt86DUjvX1wEJFIJd1xgk 3RHmMa6Bwcg3YbY6tf8lNmgXfrq/OUZqSaJw99X9mJl4oHj/OSXpce2LtjsFwdgMPo0v ksWg== X-Gm-Message-State: AMCzsaVrF3AFvW4lDdfSz+aG8l+5KHigKuVHZo2dodf9ip6v3YRMfKes uVk6hQJtck3DvTRPYs2VWsmK0PnwhrJObPtGqi9hcTI0 X-Google-Smtp-Source: ABhQp+SvNCqxgrYSYwMbRV2sIc4Www+nsg24t5mSLaY8sFAHzg6u4nOktej9t78t0zOUyAJSTIO81re/gxQ8GbT00Do= X-Received: by 10.46.32.4 with SMTP id g4mr936150ljg.41.1508427988660; Thu, 19 Oct 2017 08:46:28 -0700 (PDT) MIME-Version: 1.0 Received: by 10.25.158.77 with HTTP; Thu, 19 Oct 2017 08:46:27 -0700 (PDT) In-Reply-To: <2E80204C-37D7-4624-BD23-573C386D7899@kitterman.com> References: <150649085207.24995.1867894975380491185.idtracker@ietfa.amsl.com> <2E80204C-37D7-4624-BD23-573C386D7899@kitterman.com> From: Kurt Andersen Date: Thu, 19 Oct 2017 08:46:27 -0700 Message-ID: To: Scott Kitterman Cc: dcrup@ietf.org Content-Type: multipart/alternative; boundary="001a1142bed26f031a055be8429d" Archived-At: Subject: Re: [Dcrup] Adam Roach's No Objection on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Oct 2017 15:46:32 -0000 --001a1142bed26f031a055be8429d Content-Type: text/plain; charset="UTF-8" On Thu, Oct 19, 2017 at 3:54 AM, Scott Kitterman wrote: > > My assumption had been that since there's no valid signature with > rsa-sha1, there's nothing to even consider putting in an A-R header field. > > I think the only result that can go in this case is None. I hadn't > thought we'd need to say that, but I guess maybe we do. > > I agree with Scott. The presence of a DKIM signature that is too weak to trust (whether that is too short of a key or a non-supported hash algorithm) equates to no DKIM signature at all. --Kurt --001a1142bed26f031a055be8429d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On T= hu, Oct 19, 2017 at 3:54 AM, Scott Kitterman <sklist@kitterman.com= > wrote:
=

My assumption had been that since there's no valid signatur= e with rsa-sha1, there's nothing to even consider putting in an A-R hea= der field.

I think the only result that can go in this case is None.=C2=A0 I hadn'= t thought we'd need to say that, but I guess maybe we do.
<= /blockquote>

I agree with Scott. The presence of a DKIM = signature that is too weak to trust (whether that is too short of a key or = a non-supported hash algorithm) equates to no DKIM signature at all.
<= div>
--Kurt=C2=A0

--001a1142bed26f031a055be8429d-- From nobody Fri Oct 20 17:27:21 2017 Return-Path: X-Original-To: dcrup@ietf.org Delivered-To: dcrup@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CC3A1344D7; Fri, 20 Oct 2017 17:24:19 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: "\"IETF Secretariat\"" To: , Cc: dcrup@ietf.org, aamelnikov@fastmail.fm X-Test-IDTracker: no X-IETF-IDTracker: 6.63.2 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <150854545930.20809.6980776485276920550.idtracker@ietfa.amsl.com> Date: Fri, 20 Oct 2017 17:24:19 -0700 Archived-At: Subject: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2017 00:24:19 -0000 Dear Murray Kucherawy, The session(s) that you have requested have been scheduled. Below is the scheduled session information followed by the original request. dcrup Session 1 (0:30:00) Wednesday, Morning Session I 0930-1200 Room Name: Bras Basah size: 100 --------------------------------------------- Special Note: 1130-1200 Request Information: --------------------------------------------------------- Working Group Name: DKIM Crypto Update Area Name: Applications and Real-Time Area Session Requester: Murray Kucherawy Number of Sessions: 1 Length of Session(s): 30 Minutes Number of Attendees: 20 Conflicts to Avoid: First Priority: cfrg lamps jmap dmarc dispatch People who must be present: Rich Salz Alexey Melnikov Murray Kucherawy Resources Requested: Special Requests: --------------------------------------------------------- From nobody Fri Oct 20 19:46:55 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDBE8134218 for ; Fri, 20 Oct 2017 19:46:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.501 X-Spam-Level: X-Spam-Status: No, score=-0.501 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3QbBIv6s974M for ; Fri, 20 Oct 2017 19:46:53 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AC4F1329F9 for ; Fri, 20 Oct 2017 19:46:53 -0700 (PDT) Received: (qmail 37564 invoked from network); 21 Oct 2017 02:46:52 -0000 Received: from unknown (64.57.183.53) by gal.iecc.com with QMQP; 21 Oct 2017 02:46:52 -0000 Date: 21 Oct 2017 02:46:30 -0000 Message-ID: <20171021024630.85297.qmail@ary.lan> From: "John Levine" To: dcrup@ietf.org Cc: agenda@ietf.org In-Reply-To: <150854545930.20809.6980776485276920550.idtracker@ietfa.amsl.com> Organization: X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2017 02:46:55 -0000 Can we please put my draft draft-ietf-dcrup-dkim-crypto-06 on the agenda? As far as I know the only significant unresolved question is whether to use PureEdDSA or HashEdDSA as the new crypto function. The draft currently says the pure version, and the extra hash in the hash version provides no benefit in our application, but people have said that crypto libraries may not provide the pure version. Some people keep re-asking whether we really want both new algorithms but the answer keeps being yes, we do, because they address different issues. R's, John From nobody Fri Oct 20 20:16:16 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E662A13420B; Fri, 20 Oct 2017 20:16:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bluepopcorn.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3OKLWAQ5vSg1; Fri, 20 Oct 2017 20:16:13 -0700 (PDT) Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CB3D134313; Fri, 20 Oct 2017 20:16:12 -0700 (PDT) Received: from [192.168.1.78] (dsl-187-140-79-4-dyn.prod-infinitum.com.mx [187.140.79.4] (may be forged)) (authenticated bits=0) by v2.bluepopcorn.net (8.14.4/8.14.4/Debian-8+deb8u2) with ESMTP id v9L3G9pp015022 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 20 Oct 2017 20:16:11 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bluepopcorn.net; s=supersize; t=1508555771; bh=r6kw4CJZWX6/yEfpWLXRhO+w2fdH7p2l6tloPYpXRAY=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=AYJZVQw4bSTrpBaJ8VK6d82fJrEJzuMnsTHzd0AVuV3JbJ4YnjI1mDgu4LkAUrhu4 Yk/OSyJdA1c2Vs5aV5Jgk012IgJ7DtIYzYQwiX9/9o1ek8NZ0yWKiNIOL8ieKFyhDi 6fh/g+/jPpLTSfTmvACGPe1k5AVSzt5ejbeuJhSs= Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) From: Jim Fenton X-Mailer: iPad Mail (15A432) In-Reply-To: <20171021024630.85297.qmail@ary.lan> Date: Fri, 20 Oct 2017 22:16:03 -0500 Cc: dcrup@ietf.org, agenda@ietf.org Content-Transfer-Encoding: 7bit Message-Id: <28E6F8C8-AC43-4685-97B4-8C02296AA3DF@bluepopcorn.net> References: <20171021024630.85297.qmail@ary.lan> To: John Levine Archived-At: Subject: Re: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2017 03:16:15 -0000 > On Oct 20, 2017, at 9:46 PM, John Levine wrote: > > Some people keep re-asking whether we really want both new algorithms > but the answer keeps being yes, we do, because they address different > issues. > For the record, what are the different issues? -Jim From nobody Fri Oct 20 20:32:52 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78CCC13446D for ; Fri, 20 Oct 2017 20:32:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.391 X-Spam-Level: X-Spam-Status: No, score=-0.391 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=kitterman.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zLGQvMA7i1N6 for ; Fri, 20 Oct 2017 20:32:50 -0700 (PDT) Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F33813420B for ; Fri, 20 Oct 2017 20:32:50 -0700 (PDT) Received: from [192.168.1.115] (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id ECEA9C40256; Fri, 20 Oct 2017 22:32:47 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=2001409; t=1508556768; bh=q6pRP0LEopFgXQzcHpMUGtYT91Yy2JmBZkIe5UQ3jJo=; h=Date:In-Reply-To:References:Subject:To:From:From; b=XDUB64JAC5kL4Ys1aCcciH8iWGnL2jFpvNpaCrabUNbWb4PYeidJa6YQWFYbaRDoz sAIoKO6VXsGiSB++dhI4FNGKFPdFTfTUwape052ZvPlvUY59/EMYZ9Dte9ruj8CmIx emGh7WOq8skTpOt/yaSaJfveg8I5CTJ9LKcxQYvA= Date: Sat, 21 Oct 2017 03:32:46 +0000 In-Reply-To: <20171021024630.85297.qmail@ary.lan> References: <20171021024630.85297.qmail@ary.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable To: dcrup@ietf.org From: Scott Kitterman Message-ID: <3033FF1C-A081-4D59-9820-1F8B84838A2D@kitterman.com> Archived-At: Subject: Re: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2017 03:32:51 -0000 On October 20, 2017 10:46:30 PM EDT, John Levine wrote= : >Can we please put my draft draft-ietf-dcrup-dkim-crypto-06 on the >agenda? > >As far as I know the only significant unresolved question is whether >to use PureEdDSA or HashEdDSA as the new crypto function=2E The draft >currently says the pure version, and the extra hash in the hash >version provides no benefit in our application, but people have said >that crypto libraries may not provide the pure version=2E > >Some people keep re-asking whether we really want both new algorithms >but the answer keeps being yes, we do, because they address different >issues=2E That wasn't my take on the most recent discussion=2E I haven't gone back = and looked at the archive, but I don't recall much push for adding both=2E = I certainly think adding both would be a mistake though, so maybe that's j= ust my personal bias=2E I agree that the major decision on EdDSA is pure or hash=2E On that, I th= ink the choices are add hash now or defer action and wait to see if pure im= plementations become more common=2E An extra trip through hash functions i= s way less important than avoiding a solution that will end up causing lots= of roll your own crypto to=2Ebe used=2E Scott K From nobody Fri Oct 20 20:36:28 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A263C134478 for ; Fri, 20 Oct 2017 20:36:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=PO223p4M; dkim=pass (1536-bit key) header.d=taugh.com header.b=KzvLyCrx Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pReOlgzM71Jk for ; Fri, 20 Oct 2017 20:36:22 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B637134481 for ; Fri, 20 Oct 2017 20:36:22 -0700 (PDT) Received: (qmail 43108 invoked from network); 21 Oct 2017 03:36:21 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=a862.59eac0b5.k1710; bh=LFlvPFfjSpuBYCcxqaiKWYDqKOw1o8Cl77QYAshHix4=; b=PO223p4MhN+kypa+G1vf88RdLtyFdefUEh2WHsjgFQqjFffrNirwaNpJKr3JzrrRQByuGKbzRxM9P9WPOeWWg6L+JkO6WZJJ1MNOtGRVJSWRHLf/dM1Z54NC/uIwKa9VDy/uPXnILn5BmgCNzngjqa+FmR+p2mkLbe/TeQahwTvSYph6LTxNKbk2EXFxgnoCBQcqKk4mMRAO3vLu+1ZUr0cDmycGCzCcZsaJeITEQJQMkuEVcED76f3J9sGbIr1E DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=a862.59eac0b5.k1710; bh=LFlvPFfjSpuBYCcxqaiKWYDqKOw1o8Cl77QYAshHix4=; b=KzvLyCrxoKzPTMAOeKLgRmnwdtohAktBTLfOF9WO+4bqvu/6cHohPoN42j4R+U9bMwTpjWchoPg6ykZ+tPNTv4CToq9+zYzDIyVxAjWTwKmQOWlLlHzMO9b9uybGPmQ/Ik3KbSP7GPsAXvTIBZ84NZRyWVGGXe6P97MNBdBNmlQcEBNerH0Ts0GBl66DdyT00imxDkSwSu6Eog0oGq+gAdRQ69wky1tTg9jwD9aF/rZhEgzCDFpvVQfC+rKBav69 Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 21 Oct 2017 03:36:20 -0000 Date: 20 Oct 2017 23:36:20 -0400 Message-ID: From: "John R Levine" To: "Jim Fenton" Cc: dcrup@ietf.org In-Reply-To: <28E6F8C8-AC43-4685-97B4-8C02296AA3DF@bluepopcorn.net> References: <20171021024630.85297.qmail@ary.lan> <28E6F8C8-AC43-4685-97B4-8C02296AA3DF@bluepopcorn.net> User-Agent: Alpine 2.21 (OSX 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2017 03:36:25 -0000 On Fri, 20 Oct 2017, Jim Fenton wrote: >> On Oct 20, 2017, at 9:46 PM, John Levine wrote: >> >> Some people keep re-asking whether we really want both new algorithms >> but the answer keeps being yes, we do, because they address different >> issues. > > For the record, what are the different issues? Hashed RSA addresses the issue that many provisioning systems can't publish keys longer than about 1K bits and that's looking kind of short for RSA. Ed25519 is a completely different algorithm, and happens to be faster and smaller. It's there if RSA turns out to be broken at some point. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly From nobody Fri Oct 20 20:56:02 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC39913263F for ; Fri, 20 Oct 2017 20:56:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bluepopcorn.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NDJ4gCUQq2-Q for ; Fri, 20 Oct 2017 20:55:59 -0700 (PDT) Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50F2F134473 for ; Fri, 20 Oct 2017 20:55:59 -0700 (PDT) Received: from [192.168.1.78] (dsl-187-140-79-4-dyn.prod-infinitum.com.mx [187.140.79.4] (may be forged)) (authenticated bits=0) by v2.bluepopcorn.net (8.14.4/8.14.4/Debian-8+deb8u2) with ESMTP id v9L3turA015527 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 20 Oct 2017 20:55:58 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bluepopcorn.net; s=supersize; t=1508558158; bh=Z5sC+yGcqU3bmtXBf/DyBbW47thS4T1D20wKi34EtYo=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=VpkF6D3KAL4kzANNNYsAHLzvKW0uMFmamn2lVvwOShBk/z5gro5qnYvmX3I46myvT DpTFgj1VhDSvYEMwPvI6KggRUbarCDJrhWtPRoK1rMgKOOv0vysrJnwJiCfGAAUNoq MbdAiyfKbZEbJFXspPiyZVm5ZSzlw3QOgB6/m7TQ= Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) From: Jim Fenton X-Mailer: iPad Mail (15A432) In-Reply-To: Date: Fri, 20 Oct 2017 22:55:44 -0500 Cc: dcrup@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20171021024630.85297.qmail@ary.lan> <28E6F8C8-AC43-4685-97B4-8C02296AA3DF@bluepopcorn.net> To: John R Levine Archived-At: Subject: Re: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2017 03:56:01 -0000 > On Oct 20, 2017, at 10:36 PM, John R Levine wrote: >=20 > On Fri, 20 Oct 2017, Jim Fenton wrote: >>> On Oct 20, 2017, at 9:46 PM, John Levine wrote: >>>=20 >>> Some people keep re-asking whether we really want both new algorithms >>> but the answer keeps being yes, we do, because they address different >>> issues. >>=20 >> For the record, what are the different issues? >=20 > Hashed RSA addresses the issue that many provisioning systems can't publis= h keys longer than about 1K bits and that's looking kind of short for RSA. >=20 > Ed25519 is a completely different algorithm, and happens to be faster and s= maller. It's there if RSA turns out to be broken at some point. When you put it that way, faster and smaller sounds better. It also addresse= s the key length issue because it uses shorter public keys. So what=E2=80=99= s the motivation for doing hashed RSA as well? -Jim From nobody Fri Oct 20 21:09:54 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8D7C134483 for ; Fri, 20 Oct 2017 21:09:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=cDDsD7Y9; dkim=pass (1536-bit key) header.d=taugh.com header.b=HqHnEI1+ Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id znvQcoL1UmLn for ; Fri, 20 Oct 2017 21:09:51 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F0DA13263F for ; Fri, 20 Oct 2017 21:09:51 -0700 (PDT) Received: (qmail 49048 invoked from network); 21 Oct 2017 04:09:49 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=bf96.59eac88d.k1710; bh=rHjoA1VlLKix6t/1rchp7ezwiTGkHr/LK8NHbWqCMOM=; b=cDDsD7Y9mQzRSktpVh65IiKSemI+JrWzIm9NL+1LRhFzHcukmyH4Zmb/C3CQej10tkLEul12ItIXlBAteQcC0TBitrbf9gdKXOotiNgbO5sc50pQNMz9S7JEucDEg6GX6DPoSUxWtRozms7f2fwnwmf9oJ6thYkl/ND7aqoOTNUMkpTO+nfi9zFqslLvoYows9h1hUvJSiDpq+29S4AWSPoQXLtC5L6tGC9UQbrGzlsOww0WB2PcUFX+5dUfNKBh DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=bf96.59eac88d.k1710; bh=rHjoA1VlLKix6t/1rchp7ezwiTGkHr/LK8NHbWqCMOM=; b=HqHnEI1+7jxTeoSSr/UPhhg9BjTGxh1iNsX+CDJtXOi+9AOZ/JeeFaWfJXLSjtXWE5TBklYtpRSC2Tky/n6b2qqH8cPwDLO5XeVA9QGPG7JNdPyamcHaST5owpXux91tJb6TGYaF892jOiL4VQX46i1sJue2F34SksqrXy5snGVrqF4YFxEh+FBiH/o7DrpQWI0td5HS6Yiiiq7gPtg0rfsMAo7UVgIhjoxZpq6bq64jJiVXL+KJjztLh7ShEBF5 Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 21 Oct 2017 04:09:48 -0000 Date: 21 Oct 2017 00:09:47 -0400 Message-ID: From: "John R Levine" To: "Jim Fenton" Cc: dcrup@ietf.org In-Reply-To: References: <20171021024630.85297.qmail@ary.lan> <28E6F8C8-AC43-4685-97B4-8C02296AA3DF@bluepopcorn.net> User-Agent: Alpine 2.21 (OSX 202 2017-01-01) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="0-191924680-1508558988=:74838" Archived-At: Subject: Re: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2017 04:09:53 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-191924680-1508558988=:74838 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8BIT On Fri, 20 Oct 2017, Jim Fenton wrote: >> Hashed RSA addresses the issue that many provisioning systems can't publish keys longer than about 1K bits and that's looking kind of short for RSA. >> >> Ed25519 is a completely different algorithm, and happens to be faster and smaller. It's there if RSA turns out to be broken at some point. > > When you put it that way, faster and smaller sounds better. It also addresses the key length issue because it uses shorter public keys. So what’s the motivation for doing hashed RSA as well? Some people seem to like RSA. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly --0-191924680-1508558988=:74838-- From nobody Fri Oct 20 21:22:19 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47B2813448A for ; Fri, 20 Oct 2017 21:22:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bluepopcorn.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cswoB__E_5YZ for ; Fri, 20 Oct 2017 21:22:16 -0700 (PDT) Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18607134483 for ; Fri, 20 Oct 2017 21:22:16 -0700 (PDT) Received: from [192.168.1.78] (dsl-187-140-79-4-dyn.prod-infinitum.com.mx [187.140.79.4] (may be forged)) (authenticated bits=0) by v2.bluepopcorn.net (8.14.4/8.14.4/Debian-8+deb8u2) with ESMTP id v9L4MD75015833 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 20 Oct 2017 21:22:15 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bluepopcorn.net; s=supersize; t=1508559735; bh=S2a1HAcVVQTFasCARxtfIYRIEL+ceIcHxoAm97nnqyQ=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=fElmMiAa+t85a1SPcCbayhEQrJO24wTHsQuiyPZT1r1cM6CfEKhMK3ZUEWV3KAgiw XuRODO9lLwIW5vZTjc2chW7z/aMPigMxzWHbKZSmoBGjNt7gtFCA+FWKaJkX+lRr+h 7hOMbCEpTk5MztrJj/NczRI68t3ENMgtXOwAbbjw= Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) From: Jim Fenton X-Mailer: iPad Mail (15A432) In-Reply-To: Date: Fri, 20 Oct 2017 23:22:07 -0500 Cc: dcrup@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: <46CCFA81-F409-430F-B0A3-002506050EF2@bluepopcorn.net> References: <20171021024630.85297.qmail@ary.lan> <28E6F8C8-AC43-4685-97B4-8C02296AA3DF@bluepopcorn.net> To: John R Levine Archived-At: Subject: Re: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2017 04:22:17 -0000 On Oct 20, 2017, at 11:09 PM, John R Levine wrote: >=20 > On Fri, 20 Oct 2017, Jim Fenton wrote: >>> Hashed RSA addresses the issue that many provisioning systems can't publ= ish keys longer than about 1K bits and that's looking kind of short for RSA.= >>>=20 >>> Ed25519 is a completely different algorithm, and happens to be faster an= d smaller. It's there if RSA turns out to be broken at some point. >>=20 >> When you put it that way, faster and smaller sounds better. It also addre= sses the key length issue because it uses shorter public keys. So what=E2=80= =99s the motivation for doing hashed RSA as well? >=20 > Some people seem to like RSA. That=E2=80=99s a very weak argument. It sounds like Scott Kitterman also feels this is not a settled issue, so go= ing back to the origin of this thread, I request that the chairs agendize a d= iscussion on the need for both algorithms. -Jim From nobody Sat Oct 21 05:16:37 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEF6C13292F for ; Sat, 21 Oct 2017 05:16:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G7GnVQwDhkJu for ; Sat, 21 Oct 2017 05:16:34 -0700 (PDT) Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A4ED1321DE for ; Sat, 21 Oct 2017 05:16:34 -0700 (PDT) Received: from pps.filterd (m0050096.ppops.net [127.0.0.1]) by m0050096.ppops.net-00190b01. (8.16.0.21/8.16.0.21) with SMTP id v9LCCBh4013603; Sat, 21 Oct 2017 13:16:27 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=3fLFevb+WhMHMJ+5sWT598PUKEWNHFnrQiIlc2KnKns=; b=m44355NVm4pHL3/eb+0YxUXfwGv2EGsEnFI12NyW4dSd2Hvlxqqn8NjvJPQJE6EEBmPP rMkP6rVLFATn0umaV+ZcxhT7WW58RGyOXES+6VuuIgYBVH5zoJ43rvvpLtYaO4RlgNd6 vhNc6PDcHcOFr/4pyMG7Cus4NyR5FQsRV2rHPIwrQtIA0uQp5XUSZEOI3nga5d+qdhg6 EYN7JPTiVCc20WkeYHeSv35Hku2IdegmeV5UU+FFr2jzotWyJDN7hByILhT6ZFFjknoX +0E3wq1mWfcfBzjbSvC6nTuTmAeXVT5HO4HN5ZRrtBm9vrTySTpiImne+BW90V3mxrBX mQ== Received: from prod-mail-ppoint1 (prod-mail-ppoint1.akamai.com [184.51.33.18]) by m0050096.ppops.net-00190b01. with ESMTP id 2dqxn68y3p-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 21 Oct 2017 13:16:26 +0100 Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.0.21/8.16.0.21) with SMTP id v9LCFjqL002524; Sat, 21 Oct 2017 08:16:26 -0400 Received: from email.msg.corp.akamai.com ([172.27.123.33]) by prod-mail-ppoint1.akamai.com with ESMTP id 2dr1ju8eny-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sat, 21 Oct 2017 08:16:26 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb1.msg.corp.akamai.com (172.27.123.101) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Sat, 21 Oct 2017 08:16:25 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1263.000; Sat, 21 Oct 2017 08:16:25 -0400 From: "Salz, Rich" To: Jim Fenton , John R Levine CC: "dcrup@ietf.org" Thread-Topic: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 Thread-Index: AQHTSgMalWUadeHZz0qDUxO6o5c5vKLt3KAAgAAIQYCAAAWrAIAABWwAgAAD7YCAAANygIAAhIWA Date: Sat, 21 Oct 2017 12:16:24 +0000 Message-ID: <1EB6C371-259D-443C-9590-E445DCFE1D69@akamai.com> References: <20171021024630.85297.qmail@ary.lan> <28E6F8C8-AC43-4685-97B4-8C02296AA3DF@bluepopcorn.net> <46CCFA81-F409-430F-B0A3-002506050EF2@bluepopcorn.net> In-Reply-To: <46CCFA81-F409-430F-B0A3-002506050EF2@bluepopcorn.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/f.27.0.171010 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.37.55] Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-10-21_03:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1710210176 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-10-21_03:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1710210176 Archived-At: Subject: Re: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2017 12:16:35 -0000 PiAgICBJdCBzb3VuZHMgbGlrZSBTY290dCBLaXR0ZXJtYW4gYWxzbyBmZWVscyB0aGlzIGlzIG5v dCBhIHNldHRsZWQgaXNzdWUsIHNvIGdvaW5nIGJhY2sgdG8gdGhlIG9yaWdpbiBvZiB0aGlzIHRo cmVhZCwgSSByZXF1ZXN0IHRoYXQgdGhlIGNoYWlycyBhZ2VuZGl6ZSBhIGRpc2N1c3Npb24gb24g dGhlIG5lZWQgZm9yIGJvdGggYWxnb3JpdGhtcy4NCiAgICANCkFnZW5kaXplPw0KDQpBbnlob3cs IHllcy4NCg0K From nobody Sat Oct 21 05:38:46 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 166FF126E64 for ; Sat, 21 Oct 2017 05:38:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TvXg02P-UvY7 for ; Sat, 21 Oct 2017 05:38:43 -0700 (PDT) Received: from mail-lf0-x232.google.com (mail-lf0-x232.google.com [IPv6:2a00:1450:4010:c07::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FB5F124207 for ; Sat, 21 Oct 2017 05:38:43 -0700 (PDT) Received: by mail-lf0-x232.google.com with SMTP id k40so15710228lfi.4 for ; Sat, 21 Oct 2017 05:38:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=bokfU74bR3sTSfFM8s19AVbf1Q0lYO4yNZLibFcbEms=; b=WMjjKR6Gn6R5mmgniI7gO5aXBOgiTW/aKeBjooMBOojqXfyOIOHuMCvZijYIYJEsDx oy6egh4cfmjJti/awoM87cbK+vN7vG4MzlkPDFXAcTjS66VFxyArH+O2uyLUcEw9M4px omzEbBnvoyWXuY7IL8ULuRdc2YwpCZRiAVtQY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=bokfU74bR3sTSfFM8s19AVbf1Q0lYO4yNZLibFcbEms=; b=HITO9s9e1niH5gDIIrI00nkY70FB0QoGamyTZOOc3q98FgwdtlXefPcSgrTZcf+Keo 5CGU1I6uTZvCKIxWd3wgHoTwk9JKYCIIKvwzCGylULb+rYcbjhQ721Xrh6TItaCHX3uw MY7noiG/5/ys6dVes2HuMbirsz7MkMAaF3Q28XFeakozP3mhdAgtgkl2Ie2OHgqUF2/e dccA61oe4DQRXS1ZdIQoeYvQHeBorm/X/e6yeQBlOK4RUVudqovtOsUXIzbEgw8K2s/F WiPZex/34job97EH6LRpPnvCfQAP8Z/ssjOQaELDh9bsLqzESK5dv8IEPsOqsJCVJg1E uYfA== X-Gm-Message-State: AMCzsaVe4ES6+D2VutTmopovJuzUAY3yXuhX0LS+RnEgFxeNDOzh7CYQ oGWuVzLoeQmFifBxQhUVYLqWp4TM1PA1RW1IAAFg+pwm X-Google-Smtp-Source: ABhQp+TF7aEmCqE/JN1Zpc5mi5k8xem1Mi3ELa1pnjR9N/AGq4q2nhEE5C/SDsIOzCfJsD/OoxcizBk1EzLxh9SRLVE= X-Received: by 10.46.92.199 with SMTP id q190mr3572739ljb.88.1508589521398; Sat, 21 Oct 2017 05:38:41 -0700 (PDT) MIME-Version: 1.0 Received: by 10.25.158.77 with HTTP; Sat, 21 Oct 2017 05:38:40 -0700 (PDT) In-Reply-To: References: <20171021024630.85297.qmail@ary.lan> <28E6F8C8-AC43-4685-97B4-8C02296AA3DF@bluepopcorn.net> From: Kurt Andersen Date: Sat, 21 Oct 2017 05:38:40 -0700 Message-ID: To: John R Levine Cc: Jim Fenton , dcrup@ietf.org Content-Type: multipart/alternative; boundary="94eb2c1b4f10890939055c0ddef5" Archived-At: Subject: Re: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2017 12:38:45 -0000 --94eb2c1b4f10890939055c0ddef5 Content-Type: text/plain; charset="UTF-8" On Fri, Oct 20, 2017 at 8:36 PM, John R Levine wrote: > On Fri, 20 Oct 2017, Jim Fenton wrote: > >> On Oct 20, 2017, at 9:46 PM, John Levine wrote: >>> >>> Some people keep re-asking whether we really want both new algorithms >>> but the answer keeps being yes, we do, because they address different >>> issues. >>> >> >> For the record, what are the different issues? >> > > Hashed RSA addresses the issue that many provisioning systems can't > publish keys longer than about 1K bits and that's looking kind of short for > RSA. > > Ed25519 is a completely different algorithm, and happens to be faster and > smaller. It's there if RSA turns out to be broken at some point. > > I thought that the "different algorithms" question was regarding Pure Ed25519 vs. Hashed Ed25519 which is a question about double hashing. --Kurt --94eb2c1b4f10890939055c0ddef5 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On F= ri, Oct 20, 2017 at 8:36 PM, John R Levine <johnl@taugh.com> w= rote:
On Fri, 20 Oct 201= 7, Jim Fenton wrote:
On Oct 20, 2017, at 9:46 PM, John Levine <johnl@taugh.com> wrote:

Some people keep re-asking whether we really want both new algorithms
but the answer keeps being yes, we do, because they address different
issues.

For the record, what are the different issues?

 Hashed RSA addresses the issue that many provisioning systems can't pub= lish keys longer than about 1K bits and that's looking kind of short fo= r RSA.

Ed25519 is a completely different algorithm, and happens to be faster and s= maller.=C2=A0 It's there if RSA turns out to be broken at some point.
<= /blockquote>

I thought that the "different algorith= ms" question was regarding Pure Ed25519 vs. Hashed Ed25519 which is a = question about double hashing.

--Kurt=C2=A0
<= /div>
--94eb2c1b4f10890939055c0ddef5-- From nobody Sat Oct 21 08:09:23 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A802A124B18 for ; Sat, 21 Oct 2017 08:09:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.401 X-Spam-Level: X-Spam-Status: No, score=-2.401 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=tana.it Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X8aKFdiFLJl8 for ; Sat, 21 Oct 2017 08:09:21 -0700 (PDT) Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 889B71241F3 for ; Sat, 21 Oct 2017 08:09:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=beta; t=1508598557; bh=KX8mPwj+RcW63lJgrutKutn6r6XgyzO9Bvpgs6o1ZU4=; l=1314; h=To:References:From:Date:In-Reply-To; b=Lcn4rdt77NJqg08WOEAfV74WsiEP9HKFEm4l1gdzXxdvoy01OJMYP4ccuuhLD8KdN j0D/5G5zF24sUPbHoLfv3/PRi/LPnPObsCme/8Gtk74ZIr3uee+lMrv7PW60Px0lj8 OAguI688krqDLp69OyRyCwV3rRv9EegEiWY85zG8= Authentication-Results: tana.it; auth=pass (details omitted) Received: from [172.25.197.109] (pcale.tana [172.25.197.109]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k) by wmail.tana.it with ESMTPA; Sat, 21 Oct 2017 17:09:17 +0200 id 00000000005DC0A5.0000000059EB631D.000010AF To: dcrup@ietf.org References: <20171021024630.85297.qmail@ary.lan> <3033FF1C-A081-4D59-9820-1F8B84838A2D@kitterman.com> From: Alessandro Vesely Openpgp: id=0A5B4BB141A53F7F55FC8CBCB6ACF44490D17C00 Message-ID: <6c91e102-47fe-cbbe-ae45-04b99c774a56@tana.it> Date: Sat, 21 Oct 2017 17:09:17 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <3033FF1C-A081-4D59-9820-1F8B84838A2D@kitterman.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2017 15:09:23 -0000 On Sat 21/Oct/2017 05:32:46 +0200 Scott Kitterman wrote: > I agree that the major decision on EdDSA is pure or hash. On that, I think > the choices are add hash now or defer action and wait to see if pure > implementations become more common. An extra trip through hash functions is > way less important than avoiding a solution that will end up causing lots of > roll your own crypto to.be used. The choice can also lie between pure and hash. Well, sort of. For example, we can use a (4K - 256) byte buffer to be filled with canonicalized text, while any exceeding text will be compressed in a 256 byte hash. Next, the resulting 4K-or-less buffer is passed to gnutls_privkey_sign_data() or whatever the signing function. By passing a fair amount of "pure" text, we enjoy a fair amount of resilience to hash-collisions —one of the feathers in EdDSA's cap. Plain double hashing misses that feature. Yet, we're not maddening implementors by requiring an indefinite-size buffer. I said 4K as it is not more than the page size on most systems, but we can also specify a varying size, e.g. by specifying a tag like buf=4096. A system's policy may refuse to verify signatures that require an overly large buffer, and send aggregate reports with a suitable policy override reason. jm2c Ale -- From nobody Sat Oct 21 09:09:21 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAAA512726E for ; Sat, 21 Oct 2017 09:09:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.101 X-Spam-Level: X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=IPjvJ3nb; dkim=pass (1536-bit key) header.d=taugh.com header.b=N0T/HGm4 Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IlL1qA4d1qEO for ; Sat, 21 Oct 2017 09:09:18 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71FC11270AE for ; Sat, 21 Oct 2017 09:09:18 -0700 (PDT) Received: (qmail 57585 invoked from network); 21 Oct 2017 16:09:16 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=e0ef.59eb712c.k1710; bh=poQ2XTpqVoPixuGjPMnnUz/nR7O7M1QKQcfdAFTozeo=; b=IPjvJ3nbJo4G6ue4SDQmVo/0ZZa9rLahsqLNh8N9uJTZOtb1bohBL+tUldb/fkLoU7Gnhw9/RFadtHkooyGfvyAE/sLVmqiaNXzFe+EHJfDD/rwu0nSmDSBjfADx14eeczY3S0/Xc/8fLKvgKEroo7Q07V110vkUmGNkOJGjHNS72Jdl7WUcGRnzs/JdJLKl6DoDmy34Ea35EaQX4vhA6zxB79+X3Lk5B3DGA1Zr7A5AbXS/IOynGy39jEM87a2a DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=e0ef.59eb712c.k1710; bh=poQ2XTpqVoPixuGjPMnnUz/nR7O7M1QKQcfdAFTozeo=; b=N0T/HGm4hKdO2gXEHarLy5n7kzPYZv+1u9ZfsuR8ZVgdFbWCit48IfThLOdsnPAZP4jDv/rKoOEHKYpsA5pz4mbjIhvlgy9Q/jlQbMZeoANZ7aDWOZ2T4fs+jVFVTXRr54f/5Kg6LltDsAQPh853JgDeqPYt3xyHnXZoijHEEN7WiLJ22ebDr+fMxM6thsAB9S7fRM2ouUmtDzrjPN4+gvKxvdH2+MMkA8TBcnCKoS9yDs1GhZdaPZOsnMCydEGV Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 21 Oct 2017 16:09:16 -0000 Date: 21 Oct 2017 12:09:16 -0400 Message-ID: From: "John R Levine" To: "Kurt Andersen" Cc: dcrup@ietf.org In-Reply-To: References: <20171021024630.85297.qmail@ary.lan> <28E6F8C8-AC43-4685-97B4-8C02296AA3DF@bluepopcorn.net> User-Agent: Alpine 2.21 (OSX 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2017 16:09:20 -0000 On Sat, 21 Oct 2017, Kurt Andersen wrote: >> Hashed RSA addresses the issue that many provisioning systems can't >> publish keys longer than about 1K bits and that's looking kind of short for RSA. >> >> Ed25519 is a completely different algorithm, and happens to be faster and >> smaller. It's there if RSA turns out to be broken at some point. >> > > I thought that the "different algorithms" question was regarding Pure > Ed25519 vs. Hashed Ed25519 which is a question about double hashing. No, as you can see we're still refighting RSA vs. elliptic. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly From nobody Sat Oct 21 09:46:57 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49D3D1270AE for ; Sat, 21 Oct 2017 09:46:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.001 X-Spam-Level: X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SHnhEBID2dic for ; Sat, 21 Oct 2017 09:46:53 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C742126D3F for ; Sat, 21 Oct 2017 09:46:53 -0700 (PDT) Received: (qmail 68594 invoked from network); 21 Oct 2017 16:46:52 -0000 Received: from unknown (64.57.183.53) by gal.iecc.com with QMQP; 21 Oct 2017 16:46:52 -0000 Date: 21 Oct 2017 16:46:30 -0000 Message-ID: <20171021164630.90725.qmail@ary.lan> From: "John Levine" To: dcrup@ietf.org Cc: vesely@tana.it In-Reply-To: <6c91e102-47fe-cbbe-ae45-04b99c774a56@tana.it> Organization: X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2017 16:46:55 -0000 In article <6c91e102-47fe-cbbe-ae45-04b99c774a56@tana.it> you write: >On Sat 21/Oct/2017 05:32:46 +0200 Scott Kitterman wrote: >> I agree that the major decision on EdDSA is pure or hash. On that, I think >> the choices are add hash now or defer action and wait to see if pure >> implementations become more common. An extra trip through hash functions is >> way less important than avoiding a solution that will end up causing lots of >> roll your own crypto to.be used. >The choice can also lie between pure and hash. Well, sort of. ... Really, no, it can't. There are two defined variants for eddsa PureEdDSA and HashEdDSA, and we already have a defined way to create the DKIM message hash. I have no interest in implementing yet another nonstantard mutant version and I doubt anyone else does either. R's, John From nobody Sat Oct 21 10:13:34 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5390112421A for ; Sat, 21 Oct 2017 10:13:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.109 X-Spam-Level: X-Spam-Status: No, score=0.109 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=kitterman.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E3YGtPFwSiYU for ; Sat, 21 Oct 2017 10:13:32 -0700 (PDT) Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03C1C1241F3 for ; Sat, 21 Oct 2017 10:13:31 -0700 (PDT) Received: from [10.243.194.31] (mobile-166-171-59-243.mycingular.net [166.171.59.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 97C8EC40166; Sat, 21 Oct 2017 12:13:29 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=2001409; t=1508606009; bh=QVgBR6LkUyuitordmSPyFq6hbH2kQRLUXJpbkyJkP8Y=; h=Date:In-Reply-To:References:Subject:To:From:From; b=jMB8cYufC+mywWVydNCAw5vJ31MBB5+PK1OfFo3ODzZNMpqx56CnOuLN9nF2vmAqH i3dTk71WgUNCtvccXQwUVywl59FhYdADFRljtii/K6jHpc/S4cokf53DNOM+LBJctm molXkn1PmCwJRTFg7Uj4H9gSs+PoIRpRHDZR4FDM= Date: Sat, 21 Oct 2017 17:13:27 +0000 In-Reply-To: <20171021164630.90725.qmail@ary.lan> References: <20171021164630.90725.qmail@ary.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable To: dcrup@ietf.org From: Scott Kitterman Message-ID: <573D0F0C-E4E5-4C7B-B12F-B2E70620F16E@kitterman.com> Archived-At: Subject: Re: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2017 17:13:33 -0000 On October 21, 2017 12:46:30 PM EDT, John Levine wrote= : >In article <6c91e102-47fe-cbbe-ae45-04b99c774a56@tana=2Eit> you write: >>On Sat 21/Oct/2017 05:32:46 +0200 Scott Kitterman wrote: >>> I agree that the major decision on EdDSA is pure or hash=2E On that, >I think >>> the choices are add hash now or defer action and wait to see if pure >>> implementations become more common=2E An extra trip through hash >functions is >>> way less important than avoiding a solution that will end up causing >lots of >>> roll your own crypto to=2Ebe used=2E >>The choice can also lie between pure and hash=2E Well, sort of=2E =2E= =2E=2E > >Really, no, it can't=2E There are two defined variants for eddsa >PureEdDSA and HashEdDSA, and we already have a defined way to create >the DKIM message hash=2E I have no interest in implementing yet another >nonstantard mutant version and I doubt anyone else does either=2E +1=2E Most definitely not=2E Scott K From nobody Sat Oct 21 23:03:21 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBE251362E0 for ; Sat, 21 Oct 2017 23:03:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.1 X-Spam-Level: X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=jhcloos.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WPGyE0A9c4Y6 for ; Sat, 21 Oct 2017 23:03:19 -0700 (PDT) Received: from ore.jhcloos.com (ore.jhcloos.com [IPv6:2604:2880::b24d:a297]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 289101361BC for ; Sat, 21 Oct 2017 22:55:16 -0700 (PDT) Received: by ore.jhcloos.com (Postfix, from userid 10) id F07B51E1E6; Sun, 22 Oct 2017 05:55:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhcloos.com; s=ore17; t=1508651716; bh=WFtK/vNjV2SsmuqQ0U5uV3L17Z87yZ3sdEB5wBk1j3g=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=plscMIDOdI54gEcggzz5Ca+9f+Bjxxy6+RatOM0sKG7KmX+8bS19rsIbZE1HCt8Ac rr+HUCtt5pV8MBx/MAP0bB4Hcf0Go1LS3zr095L7w7kOfl3vBWBHmYhqJXHlc46fLP Bex1v32EvT9xur06UUFw5R8it1SSGhhQ5+M/Qnlt8MjlcwB8BiR83LdSgD5DwHE9Wh tKWneE4FbdYsDJVpTYEzXAXSGTagG5pFrFsyzRKLdYHOZuph+rv0iEhksMxmklY+K8 /CtXswzSWbwpuP/Fh+kXnua7xqzIhhN+5esNcq33lU+wNucs9D5Ib6J91gaLwFdUvd sUv0hnIb9MCig== Received: by carbon.jhcloos.org (Postfix, from userid 500) id 443D41074590A; Sun, 22 Oct 2017 05:55:09 +0000 (UTC) From: James Cloos To: dcrup@ietf.org, Cc: John Levine , vesely@tana.it In-Reply-To: <20171021164630.90725.qmail@ary.lan> (John Levine's message of "21 Oct 2017 16:46:30 -0000") References: <20171021164630.90725.qmail@ary.lan> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.60 (gnu/linux) Face: iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAgMAAABinRfyAAAACVBMVEX///8ZGXBQKKnCrDQ3 AAAAJElEQVQImWNgQAAXzwQg4SKASgAlXIEEiwsSIYBEcLaAtMEAADJnB+kKcKioAAAAAElFTkSu QmCC Copyright: Copyright 2017 James Cloos OpenPGP: 0x997A9F17ED7DAEA6; url=https://jhcloos.com/public_key/0x997A9F17ED7DAEA6.asc OpenPGP-Fingerprint: E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6 Date: Sun, 22 Oct 2017 01:55:09 -0400 Message-ID: Lines: 16 MIME-Version: 1.0 Content-Type: text/plain Archived-At: Subject: Re: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Oct 2017 06:03:20 -0000 >>>>> "JL" == John Levine writes: JL> I have no interest in implementing yet another nonstantard mutant JL> version and I doubt anyone else does either. There is nothing mutant about it. Just send whatever would go to a hash function directly to eddsa. Simple as can be. Given the (highly) likely lack of library support for pureeddsa, doing otherwise is unreasonable. -JimC -- James Cloos OpenPGP: 0x997A9F17ED7DAEA6 From nobody Sun Oct 22 03:26:39 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5B86137ED3 for ; Sun, 22 Oct 2017 03:26:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.279 X-Spam-Level: X-Spam-Status: No, score=-1.279 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_HEX=1.122] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=tana.it Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BkvbvUdBemXr for ; Sun, 22 Oct 2017 03:26:34 -0700 (PDT) Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42326137ECF for ; Sun, 22 Oct 2017 03:26:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=beta; t=1508667990; bh=G4m4XUm34mxdrbzMu+BehmJL7etCu/gQuRfANubtoIk=; l=1422; h=To:References:From:Date:In-Reply-To; b=ghi26PckA3uAgA7mF0qddnd9yPz2QFeKLdFINdzZTMEXxuxcNc2pMaqv137gSOfiI b49uIMZ8uKXdt2ihPHCzXD+QMmkEHcF8EjnDG/kNtqiaU2LHgtIq06kqw7aJ7NA13+ lMoGs41lGmwu8UThSfvkLEoQqg8M6q9Z5mKyMsAs= Authentication-Results: tana.it; auth=pass (details omitted) Received: from [172.25.197.109] ([172.25.197.109]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k) by wmail.tana.it with ESMTPA; Sun, 22 Oct 2017 12:26:30 +0200 id 00000000005DC008.0000000059EC7256.00007D40 To: dcrup@ietf.org References: <20171021164630.90725.qmail@ary.lan> From: Alessandro Vesely Openpgp: id=0A5B4BB141A53F7F55FC8CBCB6ACF44490D17C00 Message-ID: <838f0f9b-d028-c45d-1419-17566ce45c21@tana.it> Date: Sun, 22 Oct 2017 12:26:30 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <20171021164630.90725.qmail@ary.lan> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Oct 2017 10:26:37 -0000 On Sat 21/Oct/2017 18:46:30 +0200 someone wrote: > > There are two defined variants for eddsa PureEdDSA and HashEdDSA, and we > already have a defined way to create the DKIM message hash. DKIM has a defined way to create a sha256 hash, which suits RSA signatures pretty well, but is not what section 4 of rfc8032 specifies. Ed25519 signatures customarily use a different hashing, so as to achieve collision resistance. In their "Security notes on prehashing"[*] the authors conclude as follows: The main motivation for HashEdDSA is the following storage issue (which is irrelevant to most well-designed signature applications). Computing the PureEdDSA signature of M requires reading through M twice from a buffer as long as M, and therefore does not support a small-memory “Init-Update- Final” interface for long messages. Every common hash function H' supports a small-memory “Init-Update-Final” interface for long messages, so H'-EdDSA signing also supports a small-memory “Init- Update-Final” interface for long messages. Beware, however, that analogous streaming of verification for long messages means that verifiers pass along forged packets from attackers, so it is safest for protocol designers to split long messages into short messages to be signed; this splitting also eliminates the storage issue. http://ed25519.cr.yp.to/eddsa-20150704.pdf Ciao Ale -- From nobody Sun Oct 22 05:34:08 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 865191389A8 for ; Sun, 22 Oct 2017 05:34:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.001 X-Spam-Level: X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_40=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ht6rCRuBJryC for ; Sun, 22 Oct 2017 05:34:05 -0700 (PDT) Received: from wizmail.org (wizmail.org [IPv6:2a00:1940:107::2:0:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB01B1389A4 for ; Sun, 22 Oct 2017 05:34:04 -0700 (PDT) Received: from [2a00:b900:109e:0:c5d6:c61b:f5e0:b51f] (helo=lap.dom.ain) by wizmail.org with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89.119) id 1e6FS6-0005nw-9V for dcrup@ietf.org (return-path ); Sun, 22 Oct 2017 12:34:02 +0000 To: dcrup@ietf.org References: <20171021164630.90725.qmail@ary.lan> <838f0f9b-d028-c45d-1419-17566ce45c21@tana.it> From: Jeremy Harris Message-ID: Date: Sun, 22 Oct 2017 13:33:57 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <838f0f9b-d028-c45d-1419-17566ce45c21@tana.it> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Pcms-Received-Sender: [2a00:b900:109e:0:c5d6:c61b:f5e0:b51f] (helo=lap.dom.ain) with esmtpsa Archived-At: Subject: Re: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Oct 2017 12:34:06 -0000 On 22/10/17 11:26, Alessandro Vesely wrote: > On Sat 21/Oct/2017 18:46:30 +0200 someone wrote: >> >> There are two defined variants for eddsa PureEdDSA and HashEdDSA, and we >> already have a defined way to create the DKIM message hash. > > DKIM has a defined way to create a sha256 hash, which suits RSA signatures > pretty well, but is not what section 4 of rfc8032 specifies. Ed25519 > signatures customarily use a different hashing, so as to achieve collision > resistance. In their "Security notes on prehashing"[*] the authors conclude as > follows: > > The main motivation for HashEdDSA is the following storage issue (which is > irrelevant to most well-designed signature applications). Computing the > PureEdDSA signature of M requires reading through M twice from a buffer as > long as M, and therefore does not support a small-memory “Init-Update- > Final” interface for long messages. Every common hash function H' > supports a small-memory “Init-Update-Final” interface for long > messages, so H'-EdDSA signing also supports a small-memory “Init- > Update-Final” interface for long messages. That storage amount would be bounded by the size of the hash fed to PureEdDSA in the DKIM case. So the suggestion that it is unwise does not apply to this use-case. As alternate, could we ask that the libraries doing HashEdDSA make the intermediate hash available? -- Cheers, Jeremy From nobody Sun Oct 22 07:05:22 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E75FA1390E9 for ; Sun, 22 Oct 2017 07:05:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.102 X-Spam-Level: X-Spam-Status: No, score=-0.102 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=GAUSR+yZ; dkim=pass (1536-bit key) header.d=taugh.com header.b=Oj2NCcNw Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ACwCzNUSzj3B for ; Sun, 22 Oct 2017 07:05:19 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 737171390E6 for ; Sun, 22 Oct 2017 07:05:19 -0700 (PDT) Received: (qmail 37710 invoked from network); 22 Oct 2017 14:05:18 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=934b.59eca59e.k1710; bh=OyXjgIp8rtSpGz3h7cSuUfS48kt0AgZ4ORNJGA1pfVY=; b=GAUSR+yZiDqliy+aAe6GIFWj3sE6qDKu2TyT1YnWp7qQrgKuN/wx7TjWlSoTBxDc3UP0optyQzKKa6kbUwgBg1dlCOVok0kbJP5SDjkQ2OabeqdZNZgdNXFdqbUrzNR0IeEyrBEJzFhcikhAmUSzFQ4AO2jrMYfi4CJd/q0/hftXFwC65h2HzvEEX5qIQumi46PEPVAd6PoV7DiLTpT8lqBk4+bP9diSdQIGQODJIe5lEDsFI5DSskVS0Z/zySoL DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=934b.59eca59e.k1710; bh=OyXjgIp8rtSpGz3h7cSuUfS48kt0AgZ4ORNJGA1pfVY=; b=Oj2NCcNwolYy4FhfIQimdj8sgbkyJERfB/AFbSZ7is0d40wWT0SE4rrM23/gKCIYGfOFBQ29NofGI37sY/2yJ2qmDPhUnVuoxgcSb91II3F/TdIp8UmztG2UiYKHCfTheA/3YwdIo/XN9CHlgzL+ojqTyQRx7R9mLUUl6EMm4CgJbNNsWxx617k9AYlAB0HOnIqTAIagowXFUqaVLGX1s5SGDkJJGQ/CokSdnUnPstmlegVru1BEWo6wv5CrmHL8 Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 22 Oct 2017 14:05:18 -0000 Date: 22 Oct 2017 10:05:18 -0400 Message-ID: From: "John R Levine" To: "James Cloos" Cc: dcrup@ietf.org In-Reply-To: References: <20171021164630.90725.qmail@ary.lan> User-Agent: Alpine 2.21 (OSX 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Oct 2017 14:05:21 -0000 On Sun, 22 Oct 2017, James Cloos wrote: > JL> I have no interest in implementing yet another nonstantard mutant > JL> version and I doubt anyone else does either. > > There is nothing mutant about it. Just send whatever would go to a hash > function directly to eddsa. This is exactly what we do *not* want to do. We debugged the DKIM canonicalization and hashing code a decade ago, and have no interest in rewriting it. > Given the (highly) likely lack of library support for pureeddsa, doing > otherwise is unreasonable. If you'll review the messages to which you were responding, you'll find that the plan is to feed the DKIM hash into HashEdDSA since a rehash won't make anything worse other than a tiny slowdown. R's, John From nobody Sun Oct 22 08:30:58 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B89C51398BC for ; Sun, 22 Oct 2017 08:30:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vkRx7In_aETg for ; Sun, 22 Oct 2017 08:30:55 -0700 (PDT) Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07B4A1398B9 for ; Sun, 22 Oct 2017 08:30:54 -0700 (PDT) Received: from pps.filterd (m0050102.ppops.net [127.0.0.1]) by m0050102.ppops.net-00190b01. (8.16.0.21/8.16.0.21) with SMTP id v9MFQig0028044; Sun, 22 Oct 2017 16:30:51 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=svRAnhGAWJhhl712fxPQrOj8z10swmYSt/7ClPrMdK8=; b=du2r6Y0zg3eWa3jq3cAEnSWLTKOj1nCsRkSoIqFIYMZb/ym2duDhsEKQd5h6VzjZKvgz 1XUnKGM6b+B2WzTf1+651BQMw+/BQncPCJEoNHTk6YaSXlIf2TUue/E3z8msmMN/UTwu dhWqSEJ0cRc5YjNLOCIt0cxYSLBYRDE5MP4eBWgzhu04F13Si5R452iK5Nj7v3+On1P/ cPrN57Ci+mlAKL+E/vKZFoCeqV7xc6KQRg+ecsrb0GYR6Qbeg+zffX71ewQpwWOI6U+a zvZs8g1v/UZCBTZyl9WoUiAXaRNMkwhvgRhuLN8Ph1UtIy+TRZaXS2oFKfbXy0Abgdxn jg== Received: from prod-mail-ppoint3 ([96.6.114.86]) by m0050102.ppops.net-00190b01. with ESMTP id 2dquacvbak-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 22 Oct 2017 16:30:51 +0100 Received: from pps.filterd (prod-mail-ppoint3.akamai.com [127.0.0.1]) by prod-mail-ppoint3.akamai.com (8.16.0.21/8.16.0.21) with SMTP id v9MFT2E8019552; Sun, 22 Oct 2017 11:30:50 -0400 Received: from email.msg.corp.akamai.com ([172.27.123.53]) by prod-mail-ppoint3.akamai.com with ESMTP id 2dr1jvbm2x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sun, 22 Oct 2017 11:30:50 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb3.msg.corp.akamai.com (172.27.123.103) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Sun, 22 Oct 2017 11:30:36 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1263.000; Sun, 22 Oct 2017 11:30:36 -0400 From: "Salz, Rich" To: John R Levine , James Cloos CC: "dcrup@ietf.org" Thread-Topic: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 Thread-Index: AQHTSgMalWUadeHZz0qDUxO6o5c5vKLt3KAAgAAM7QCAAMKbgIAAGykAgACbm62AAMmwAIAAF9gA Date: Sun, 22 Oct 2017 15:30:36 +0000 Message-ID: References: <20171021164630.90725.qmail@ary.lan> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/f.27.0.171010 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.42.123] Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-10-22_05:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1710220224 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-10-22_05:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1710220224 Archived-At: Subject: Re: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Oct 2017 15:30:57 -0000 PiAgICAgSWYgeW91J2xsIHJldmlldyB0aGUgbWVzc2FnZXMgdG8gd2hpY2ggeW91IHdlcmUgcmVz cG9uZGluZywgeW91J2xsIGZpbmQgDQogICAgdGhhdCB0aGUgcGxhbiBpcyB0byBmZWVkIHRoZSBE S0lNIGhhc2ggaW50byBIYXNoRWREU0Egc2luY2UgYSByZWhhc2ggd29uJ3QgDQogICAgbWFrZSBh bnl0aGluZyB3b3JzZSBvdGhlciB0aGFuIGEgdGlueSBzbG93ZG93bi4NCiAgICANClJpZ2h0LiAg U28gdGhlIHNpZ25lZCBkYXRhIGlzIGEgaGFzaC4NCg0KTW9zdCBjcnlwdG8gbGlicmFyaWVzIChp bmNsdWRpbmcgdGhlIG9uZSBJIHdvcmsgb24sIE9wZW5TU0wpIGhhdmUgYSBzdGFydC9kaWdlc3Qv ZW5kLXdpdGgtc2lnIEFQSS4gIFdoZW4gYWxsIHRoaXMgd2FzIChlcikgaGFzaGVkIG92ZXIgaW4g Q0ZSRywgd2UgZGVjaWRlZCBjb25zaXN0ZW5jeSBvZiBBUEkgd2FzIGJldHRlci4gIFllcyB0aGlz IG1lYW50IGV2ZXJ5b25lIGhhZCB0byBoYXZlIHRoZSBvcmlnaW5hbCBjb250ZW50LiBJb1QgZGV2 aWNlcyBhbmQgbG9uZyBDUkzigJlzIHdlcmUgYnJvdWdodCB1cCwgYW5kIGl0IHdhcyBkZWNpZGVk IHRoYXQgdGhpcyBpcyBub3QgYSB1c2UtY2FzZSB0byB3b3JyeSBhYm91dC4NCg0KU28gSSB0aGlu ayBzdGFuZGFyZCBFZERTQSBoYXNoaW5nIG9mIERLSU0gZGF0YSB0aGF0IGlzIGEgaGFzaCBvZiBz cGVjaWFsbHktY2Fub25pY2FsaXplZCBkYXRhIG1ha2VzIHNlbnNlLiAgSSBhZ3JlZSB0aGUgY29z dCBvZiBhbiDigJxleHRyYeKAnSBoYXNoIGlzbuKAmXQgd29ydGggd29ycnkgYWJvdXQsIGVzcGVj aWFsbHkgd2hlbiB0aGUgaW5wdXQgaXMgYSBoYXNoLCB0aGUgY29zdCBvZiB0aGUga2V5IG9wZXJh dGlvbnMgd2lsbCBjb21wbGV0ZWx5IGRvbWluYXRlLg0KDQpTcGVha2luZyBhcyBhbiBpbmRpdmlk dWFsLiAgQnV0IHNwZWFraW5nIGFzIGNvLWNoYWlyOiBEb2VzIHRoaXMgbWFrZSBzZW5zZT8NCg0K From nobody Sun Oct 22 08:31:13 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DA611398C2 for ; Sun, 22 Oct 2017 08:31:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.8 X-Spam-Level: X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eeTELXv3Rmbm for ; Sun, 22 Oct 2017 08:31:05 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B35B1398BC for ; Sun, 22 Oct 2017 08:31:05 -0700 (PDT) Received: (qmail 47504 invoked from network); 22 Oct 2017 15:31:03 -0000 Received: from unknown (64.57.183.53) by gal.iecc.com with QMQP; 22 Oct 2017 15:31:03 -0000 Date: 22 Oct 2017 15:30:41 -0000 Message-ID: <20171022153041.1144.qmail@ary.lan> From: "John Levine" To: dcrup@ietf.org Cc: jgh@wizmail.org In-Reply-To: Organization: X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [Dcrup] hashing and rehashing, was dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Oct 2017 15:31:11 -0000 In article you write: >As alternate, could we ask that the libraries doing HashEdDSA make the >intermediate hash available? We could ask, but since the reason we're having this discussion is that we expect them not to implement PureEdDSA which is part of the RFC 8032 spec, it seems vanishingly unlikely that they would add yet another non-standard interface of no interest to anyone else. I would be interested to hear exactly what security or performance problems people think would be introduced by using HashEdDsa on the existing hash. The existing hash can't be that bad since we seem perfecly happy to keep using it with RSA. R's, John PS: "You could do this instead" is not, to the best of my knowledge, a security or performance problem. From nobody Sun Oct 22 08:54:25 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7859D139A56 for ; Sun, 22 Oct 2017 08:54:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.109 X-Spam-Level: X-Spam-Status: No, score=0.109 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=kitterman.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DIsenCi0cR99 for ; Sun, 22 Oct 2017 08:54:23 -0700 (PDT) Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [IPv6:2607:f0d0:3001:aa::2]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CB83139A55 for ; Sun, 22 Oct 2017 08:54:23 -0700 (PDT) Received: from [10.209.70.13] (mobile-166-171-56-91.mycingular.net [166.171.56.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 2A05BC4025F; Sun, 22 Oct 2017 10:54:19 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=2001409; t=1508687659; bh=O/nN0j7yjlrctSAqWlV9wPnqGyMycdDicxNXnzo3kOU=; h=Date:In-Reply-To:References:Subject:To:From:From; b=ACI7Nxaal4PY9vSwMfqNHahQWjva7nDqWh/X3YSZY5ZHJwzEND0CBjF+F9fWNsmPp +x81aIgo15yVrrmnd5BxRQF4jDfOfqNhd18tIM3p+PVk+CuoxAspHpCCSauSBFqwAR rpv5BIY+8zFOu+IJBYAOhvqA+Eu0s834pDAotFVk= Date: Sun, 22 Oct 2017 15:54:16 +0000 In-Reply-To: References: <20171021164630.90725.qmail@ary.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable To: dcrup@ietf.org From: Scott Kitterman Message-ID: <06AE4775-6BEE-48C6-8E94-1E2BD73377A9@kitterman.com> Archived-At: Subject: Re: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Oct 2017 15:54:24 -0000 On October 22, 2017 11:30:36 AM EDT, "Salz, Rich" wro= te: >> If you'll review the messages to which you were responding, >you'll find=20 >that the plan is to feed the DKIM hash into HashEdDSA since a rehash >won't=20 > make anything worse other than a tiny slowdown=2E > =20 >Right=2E So the signed data is a hash=2E > >Most crypto libraries (including the one I work on, OpenSSL) have a >start/digest/end-with-sig API=2E When all this was (er) hashed over in >CFRG, we decided consistency of API was better=2E Yes this meant >everyone had to have the original content=2E IoT devices and long CRL=E2= =80=99s >were brought up, and it was decided that this is not a use-case to >worry about=2E > >So I think standard EdDSA hashing of DKIM data that is a hash of >specially-canonicalized data makes sense=2E I agree the cost of an >=E2=80=9Cextra=E2=80=9D hash isn=E2=80=99t worth worry about, especially = when the input is a >hash, the cost of the key operations will completely dominate=2E > >Speaking as an individual=2E But speaking as co-chair: Does this make >sense? I think it does=2E Scott K From nobody Mon Oct 23 14:15:35 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 728A513A41F for ; Mon, 23 Oct 2017 14:15:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.699 X-Spam-Level: X-Spam-Status: No, score=0.699 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=jhcloos.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sXwvrRPVBWHK for ; Mon, 23 Oct 2017 14:15:33 -0700 (PDT) Received: from ore.jhcloos.com (ore.jhcloos.com [198.147.22.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01C0E13A420 for ; Mon, 23 Oct 2017 14:15:30 -0700 (PDT) Received: by ore.jhcloos.com (Postfix, from userid 10) id 96BAF1E199; Mon, 23 Oct 2017 21:15:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhcloos.com; s=ore17; t=1508793329; bh=apky61/40XmAfPXD4m3uaZM0FGK9FisqOTlslznFbDE=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=PrpFFIZoLGLH9YSTvHD6f3z6h9Npp2yjqs/2kEh9JFdPQwlSQPbiSsQxYWowSiORT 3TpTCpAkdEFBUy3yK6R/aTeDfabCYkSH4wkPNx2yx5wleDo6zsLiCTY4dbMYyDnHeG Ry5O1+xEsEFud/Th2wom+DdX6u2wljTFcWAep/L8PrEEaJR+/LC4s4cN6p2MTg+ra7 aXJ8VE2IfUXtENK2SRaYfqj83Ckc7/cYXRLAHCeI95GJTLsvH+IHdgNkUobDn8z4BZ XbqOsXtFAsuKOPI0SR2eV21oXr9Hw34QPjhRk5+tMEnb0O1TVnOTtxrULpu26WCB5h STq6ojO8286LQ== Received: by carbon.jhcloos.org (Postfix, from userid 500) id 1300C10BC83E2; Mon, 23 Oct 2017 21:15:23 +0000 (UTC) From: James Cloos To: dcrup@ietf.org Cc: John R Levine In-Reply-To: (John R. Levine's message of "22 Oct 2017 10:05:18 -0400") References: <20171021164630.90725.qmail@ary.lan> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.60 (gnu/linux) Face: iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAgMAAABinRfyAAAACVBMVEX///8ZGXBQKKnCrDQ3 AAAAJElEQVQImWNgQAAXzwQg4SKASgAlXIEEiwsSIYBEcLaAtMEAADJnB+kKcKioAAAAAElFTkSu QmCC Copyright: Copyright 2017 James Cloos OpenPGP: 0x997A9F17ED7DAEA6; url=https://jhcloos.com/public_key/0x997A9F17ED7DAEA6.asc OpenPGP-Fingerprint: E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6 Date: Mon, 23 Oct 2017 17:15:23 -0400 Message-ID: Lines: 22 MIME-Version: 1.0 Content-Type: text/plain Archived-At: Subject: Re: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Oct 2017 21:15:34 -0000 >>>>> "JL" == John R Levine writes: >> There is nothing mutant about it. Just send whatever would go to a >> hash function directly to eddsa. JL> This is exactly what we do *not* want to do. How can c(m) *ever* be harder than a(b(m))? The objection really makes no sense. All doing it right means is that you get a signed hash instead of a to-be-signed hash out of the hashing step. It is of course not a performance issue. And if the consensus is to double then so be it, but it had to be mentioned. -JimC -- James Cloos OpenPGP: 0x997A9F17ED7DAEA6 From nobody Mon Oct 23 14:25:26 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4228E13A5CF for ; Mon, 23 Oct 2017 14:25:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=XbLfiJ6P; dkim=pass (1536-bit key) header.d=taugh.com header.b=YOyJVbuQ Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E-DiFF_4RqLG for ; Mon, 23 Oct 2017 14:25:23 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E4F713A415 for ; Mon, 23 Oct 2017 14:25:23 -0700 (PDT) Received: (qmail 99334 invoked from network); 23 Oct 2017 21:25:22 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=18404.59ee5e42.k1710; bh=gqhzq9lFxQhejsOj1Mz8ebVMDxulaopQfsNzhYdHRGs=; b=XbLfiJ6PqbuqtR+hPhdNvA9rf6VHGSZ6Pnt8nhHw8iwm3dlsmkfqivnbKL0ta3ELq8DPVLt1O6lnc7nncTUrje2MzBE6L3cpnudAiOP6HwdsIVHGkF9cXDKGmYLo6+fTw9lvgxC71yo5dCeg7zFhLgIQwtcwqhO3bGbnDRESsR9zxF9ZaEAz+Z2n9OiV7KbbrdELRlEiZp9IR6ZULvr+zKCOC9egpWAIn/wbVtWX3vUuEuOdhNrVJwy9wwnS9VUJ DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=18404.59ee5e42.k1710; bh=gqhzq9lFxQhejsOj1Mz8ebVMDxulaopQfsNzhYdHRGs=; b=YOyJVbuQvb77RMxdvRILd7i41Kg0uFPQKhyPGb32+LgL1a3X9OpMES/sINdQwGQnPsLpT2OhTE1le15dFH8nGM85mzbUQtTLC4MNkQut3/WONBu6uxpyH/VHZJsqEAoXx4avK0eLj0fVjwDgql6wkPJuO9VGaGy+A8Y+Uw1yZYGZcBIjITCeGjoY39iLqhBgRPkax8bjIX6ofRDWFX7ha6XOBtyP9FsIlhrHhGc5fMf7fa+qN1jhPm90OwLjrvE3 Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 23 Oct 2017 21:25:22 -0000 Date: 23 Oct 2017 17:25:21 -0400 Message-ID: From: "John R Levine" To: "James Cloos" Cc: dcrup@ietf.org In-Reply-To: References: <20171021164630.90725.qmail@ary.lan> User-Agent: Alpine 2.21 (OSX 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Oct 2017 21:25:25 -0000 On Mon, 23 Oct 2017, James Cloos wrote: >>>>>> "JL" == John R Levine writes: > >>> There is nothing mutant about it. Just send whatever would go to a >>> hash function directly to eddsa. > > JL> This is exactly what we do *not* want to do. > > How can c(m) *ever* be harder than a(b(m))? When a() and b() are existing, debugged, documented code, and c() is not, it happens all the time. As you note, the performance difference is insignificant. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly From nobody Mon Oct 23 19:54:35 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89ED8138BCD for ; Mon, 23 Oct 2017 19:54:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=fe3d86u1; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=SezKz7ws Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r9bPg3JwqKQ3 for ; Mon, 23 Oct 2017 19:54:31 -0700 (PDT) Received: from winserver.com (pop3.winserver.com [76.245.57.69]) by ietfa.amsl.com (Postfix) with ESMTP id 7AFB213B18D for ; Mon, 23 Oct 2017 19:54:31 -0700 (PDT) DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=1378; t=1508813669; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=BrQs5LO2s+AbQyZizFQmq7JEwvo=; b=fe3d86u14vBW6SjFKseQor2gIa3ZO3r3wr921Pb1opnnnv+txT+Wz4Nk/q4sYr /qOZFt/FHovLXENrkq1QoiHnZcvylXpzD+6IHxUJ1PKeysFNT7msyS4r78Bl7WUN +kBrxYlbiJ/0qxDttPs8X0t02cbDwSw0z5GOffkzT/IbU= Received: by winserver.com (Wildcat! SMTP Router v7.0.454.6) for dcrup@ietf.org; Mon, 23 Oct 2017 22:54:29 -0400 Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=pass policy=all author.d=isdg.net asl.d=beta.winserver.com; Received: from beta.winserver.com ([76.245.57.74]) by winserver.com (Wildcat! SMTP v7.0.454.6) with ESMTP id 2977396768.1.3752; Mon, 23 Oct 2017 22:54:28 -0400 DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=1378; t=1508813571; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=WYQkcUl Lmagu0RatLSinzdgUbmSqhcB1HcUfKC68ut4=; b=SezKz7wsQbEWCjO2/pQnOXe UfTOp+G35Pl/rI464oWsuyWGrxJUQlXlbp7qbU1NeenkoVSMikQrsOY+xiFRVNFd jigIxy0w73dTzVsYZespGtKkzs9pGpELagZl5pcyXnILfAeNbxKWhsOr+zrcHUdA KvRyOLC4cvG6SzEE36Sc= Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.6) for dcrup@ietf.org; Mon, 23 Oct 2017 22:52:51 -0400 Received: from [192.168.1.68] ([99.121.5.8]) by beta.winserver.com (Wildcat! SMTP v7.0.454.6) with ESMTP id 2977378937.9.128392; Mon, 23 Oct 2017 22:52:50 -0400 Message-ID: <59EEAB61.4040504@isdg.net> Date: Mon, 23 Oct 2017 22:54:25 -0400 From: Hector Santos Organization: Santronics Software, Inc. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1 MIME-Version: 1.0 To: dcrup@ietf.org References: <150656461384.13748.13197533071257342162.idtracker@ietfa.amsl.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [Dcrup] Ben Campbell's Yes on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Oct 2017 02:54:33 -0000 On 10/19/2017 4:40 AM, Martin Thomson wrote: > On Thu, Oct 19, 2017 at 6:35 PM, Murray S. Kucherawy > wrote: >>> -4: "Verifiers MUST verify using rsa-sha256." >>> >>> Should this say "...MUST be able to..."? That is, am I correct in assuming >>> that >>> a verifier will use the scheme specified by the signer if it is capable of >>> doing so, and that it doesn't make sense to try to verify with rsa-sha256 >>> if >>> the signer used something else? >> >> >> I see Ben's point, and "MUST be able to..." sounds reasonable to me. I >> think this also addresses Jari's GEN-ART point (to which Mirja alluded), and >> his "MUST implement" suggestion also seems reasonable to me. >> >> What does the WG prefer? > > I saw the original requirement as stipulating a policy requirement in > addition to an implementation requirement. That is, verifiers need to > insist on a valid rsa-sha256 signature or the message is considered > unverified. +1, but I believe the policy requirement is the DKIM signer domain insisting via the public key record using a "h=sha256" tag. The verifier should be ready to invalidate a DKIM sha1 signed message with a hash policy mismatch result/error. An SMTP Verifier spawning a dynamic DKIM-related protocol check at the DATA state can return a permanent negative response code, i.e. 55z. -- HLS From nobody Tue Oct 24 09:40:45 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A65E31393AE for ; Tue, 24 Oct 2017 09:40:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cHjlsWnO_QEO for ; Tue, 24 Oct 2017 09:40:42 -0700 (PDT) Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4568139672 for ; Tue, 24 Oct 2017 09:40:40 -0700 (PDT) Received: from pps.filterd (m0050096.ppops.net [127.0.0.1]) by m0050096.ppops.net-00190b01. (8.16.0.21/8.16.0.21) with SMTP id v9OGY8ER000348 for ; Tue, 24 Oct 2017 17:40:40 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : content-type : mime-version; s=jan2016.eng; bh=bkw0yA40xGhjLX3Z0lE1Rh+YnC+Mhnn9GyXKtzu0jBA=; b=Cnt2FqXzq6uXJZ3lJczBCJD+8S5Q+5moz0+JPVLB8srIVT5ti5Lv3IBcxqRUTdsOhQoe mYoy/KTLj8LGVEEo4WexB7YCMgwQZG0/xCVc37LVycOFs8rKzMU9rMELoJF86lvw0qDf yO4ibiVZ2ez4BuXf7MvdA0X61w1h/mFFD5kfDKJp6mLR1fs3jI9TDErpS9MNvBcwiBT8 Ajw7p3Zh4g14URYmDeB/R2w2bTkQwCEpkYiuDDK4vZ+Gy824gwNV4ggul4Jknb8oBPqw L/nfdCJMF47ZD+R8lxztPXg7Dx2MshXCGzTyAHMxyHhhvFQFDE/Y/iLvZQGTGqXRJCq3 Ew== Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19]) by m0050096.ppops.net-00190b01. with ESMTP id 2dqxn6j25p-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 24 Oct 2017 17:40:39 +0100 Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.21/8.16.0.21) with SMTP id v9OGUsLX019832 for ; Tue, 24 Oct 2017 12:40:38 -0400 Received: from email.msg.corp.akamai.com ([172.27.123.34]) by prod-mail-ppoint2.akamai.com with ESMTP id 2dr1ju9g5f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Tue, 24 Oct 2017 12:40:38 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb1.msg.corp.akamai.com (172.27.123.101) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Tue, 24 Oct 2017 12:40:37 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1263.000; Tue, 24 Oct 2017 12:40:37 -0400 From: "Salz, Rich" To: "dcrup@ietf.org" Thread-Topic: Agenda items Thread-Index: AQHTTObRdgr1mXE070akWTZ4alrv3w== Date: Tue, 24 Oct 2017 16:40:36 +0000 Message-ID: <323E19EB-0401-42CC-9644-3BCA36D24386@akamai.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/f.27.0.171010 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.33.119] Content-Type: multipart/alternative; boundary="_000_323E19EB040142CC96443BCA36D24386akamaicom_" MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-10-24_08:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1710240228 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-10-24_08:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1710240228 Archived-At: Subject: [Dcrup] Agenda items X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Oct 2017 16:40:44 -0000 --_000_323E19EB040142CC96443BCA36D24386akamaicom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 QmV5b25kIHRoZSBoYXNoaW5nL3JlaGFzaC9tdWx0aS1oYXNoIGl0ZW0sIGlmIHlvdSBoYXZlIG90 aGVyIHRoaW5ncyB5b3UgdGhpbmcgd2Ugc2hvdWxkIHRhbGsgYWJvdXQsIG9yIGlmIHlvdSB3YW50 IHRvIHByZXNlbnQgKGxvY2FsbHkgb3IgcmVtb3RlbHkpLCBwbGVhc2UgcG9zdC4NCg0KV2UgaGF2 ZSAwLjUgaG91cnMgV2VkbmVzZGF5IG1vcm5pbmcgKG5vdCAyLjUgOikNCg== --_000_323E19EB040142CC96443BCA36D24386akamaicom_ Content-Type: text/html; charset="utf-8" Content-ID: <31B07B8C63988E43908D3BA025A6C59A@akamai.com> Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iVGl0bGUiIGNvbnRlbnQ9IiI+DQo8bWV0YSBuYW1lPSJLZXl3b3JkcyIgY29udGVu dD0iIj4NCjxtZXRhIG5hbWU9IkdlbmVyYXRvciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUg KGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxlPjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8N CkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0 IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJ cGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAyIDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8N CnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWwsIGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsN CgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWls eToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21z by1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjojMDU2M0MxOw0KCXRleHQtZGVjb3JhdGlvbjp1 bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1z dHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjojOTU0RjcyOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRl cmxpbmU7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTcNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtY29t cG9zZTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0 ZXh0O30NCnNwYW4ubXNvSW5zDQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCW1zby1z dHlsZS1uYW1lOiIiOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7DQoJY29sb3I6dGVhbDt9 DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LWZh bWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo4 LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEuMGluIDEuMGluIDEuMGluO30NCmRpdi5Xb3Jk U2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+PC9zdHlsZT4NCjwvaGVhZD4NCjxi b2R5IGJnY29sb3I9IndoaXRlIiBsYW5nPSJFTi1VUyIgbGluaz0iIzA1NjNDMSIgdmxpbms9IiM5 NTRGNzIiPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5CZXlvbmQgdGhlIGhhc2hpbmcvcmVoYXNo L211bHRpLWhhc2ggaXRlbSwgaWYgeW91IGhhdmUgb3RoZXIgdGhpbmdzIHlvdSB0aGluZyB3ZSBz aG91bGQgdGFsayBhYm91dCwgb3IgaWYgeW91IHdhbnQgdG8gcHJlc2VudCAobG9jYWxseSBvciBy ZW1vdGVseSksIHBsZWFzZSBwb3N0LjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij48bzpwPiZuYnNwOzwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdCI+V2UgaGF2ZSAwLjUgaG91cnMgV2VkbmVzZGF5IG1vcm5pbmcgKG5vdCAyLjUgOik8 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_323E19EB040142CC96443BCA36D24386akamaicom_-- From nobody Tue Oct 24 12:02:27 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 138D01393A1 for ; Tue, 24 Oct 2017 12:02:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JkfITMQUgeNU for ; Tue, 24 Oct 2017 12:02:25 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24444139567 for ; Tue, 24 Oct 2017 12:02:07 -0700 (PDT) Received: (qmail 22153 invoked from network); 24 Oct 2017 19:02:06 -0000 Received: from unknown (64.57.183.53) by gal.iecc.com with QMQP; 24 Oct 2017 19:02:06 -0000 Date: 24 Oct 2017 19:01:44 -0000 Message-ID: <20171024190144.7166.qmail@ary.lan> From: "John Levine" To: dcrup@ietf.org Cc: rsalz@akamai.com In-Reply-To: <323E19EB-0401-42CC-9644-3BCA36D24386@akamai.com> Organization: X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [Dcrup] Agenda items X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Oct 2017 19:02:26 -0000 In article <323E19EB-0401-42CC-9644-3BCA36D24386@akamai.com> you write: >-=-=-=-=-=- >Beyond the hashing/rehash/multi-hash item, if you have other things you thing we should talk about, or >if you want to present (locally or remotely), please post. There still seems to be some disagreement about whether to do both key hashed RSA and Ed25519. I can make a slide out of the list of pros and cons but I don't have much more to say than that. R's, John From nobody Tue Oct 24 12:55:53 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6FF713B482 for ; Tue, 24 Oct 2017 12:55:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id odpxYbkKsc3r for ; Tue, 24 Oct 2017 12:55:50 -0700 (PDT) Received: from mail-qt0-x230.google.com (mail-qt0-x230.google.com [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FB2E1397F3 for ; Tue, 24 Oct 2017 12:55:50 -0700 (PDT) Received: by mail-qt0-x230.google.com with SMTP id z50so32015384qtj.4 for ; Tue, 24 Oct 2017 12:55:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=NFY5EikxAVhPiMAe2opNPaImKIHTvTLAPWPuPiJqug0=; b=fFoBB5/imnuE9EKcs05/7km1KUzLyKFhxByGzooer30VpMJ/O2hZ2laL9vb/uZOfTl WCf1EnMOnP1wzQJUtFDgLVgeBAD44Dw2/yuo4NK47McotzJlrUYyZ/RhoYwy9SLAZ5L8 i8bYfcXn3lwzmQGYsF6sQcJ4VY6rrNjhoSGWUD2dTWBrXGvXP2ZM/qR3sagS9EcFpASy ASuuTF8W3Q0DgyBSwKu6f9Pn8pbIPYKvLooNXROLquahN2gAhIsxotoZRbMgyo4SQmDu wls93VvRgBrhPSs8VoMSCNcDndG53S6R7m8d8uiY/A0jf8byvDcPd4rLnyPrP2zfsY+d MNdg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=NFY5EikxAVhPiMAe2opNPaImKIHTvTLAPWPuPiJqug0=; b=Xnfdxv0h+OuW0I3Vp/rizTay9O+4nVIs1BB4luLbB4/WTMHukgmD5WDc4hV4BhWtFW Pz8JfNoyXFN64Elw0UZR230qrs/lBFEl6vBQMMBV8LGCyniYHkegr55uO08nbc0jojzd Ke+Dv/cyDvM0zJWpPylVtghiJ70sWKLdVYkiR0H+XscN7NJSyVr0nS/9tArkMRJlZTrb P8tU7dGQ3ZjdW4dPTqRydzo2oc9rG03bxkKY5KsHqvdc6BNGsIpY5CuK6lWYYqexFnFY 6uqcB3vuQl0mCz/fIl2URhGtejKy28bzr7EYkmSXQzK7fuZ2am6VrHOxz4eT9a3mGPjZ ggSQ== X-Gm-Message-State: AMCzsaWy8pfmDqKbA0iYgBIy/A62ANold3G6od49AeIMh4HGhlUKsHLD u2PPerHzoWo/zp2HPmrjjk4ZuunluV3u9s7men9Egg== X-Google-Smtp-Source: ABhQp+Qv7QQQuHea+IpFucpLU/VycXJkJVlDsHTXJgxk9js7QKX9ds37MnCQhVKpIhw6JjjmyUdaOs//cHcs31LbxRw= X-Received: by 10.200.39.238 with SMTP id x43mr28726795qtx.154.1508874949287; Tue, 24 Oct 2017 12:55:49 -0700 (PDT) MIME-Version: 1.0 Received: by 10.200.40.115 with HTTP; Tue, 24 Oct 2017 12:55:48 -0700 (PDT) In-Reply-To: References: <150656461384.13748.13197533071257342162.idtracker@ietfa.amsl.com> From: "Murray S. Kucherawy" Date: Tue, 24 Oct 2017 12:55:48 -0700 Message-ID: To: Kurt Andersen Cc: dcrup@ietf.org Content-Type: multipart/alternative; boundary="001a114104225ce4ef055c505309" Archived-At: Subject: Re: [Dcrup] Ben Campbell's Yes on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Oct 2017 19:55:52 -0000 --001a114104225ce4ef055c505309 Content-Type: text/plain; charset="UTF-8" On Thu, Oct 19, 2017 at 8:44 AM, Kurt Andersen wrote: > On Thu, Oct 19, 2017 at 12:35 AM, Murray S. Kucherawy > wrote: > >> >> I see Ben's point, and "MUST be able to..." sounds reasonable to me. I >> think this also addresses Jari's GEN-ART point (to which Mirja alluded), >> and his "MUST implement" suggestion also seems reasonable to me. >> >> What does the WG prefer? >> > > "MUST be able to" seems to capture the intent. > I concur (as an individual). And as chair, I'd say this small issue probably has consensus, so Scott, please make this tweak and resubmit (modulo the other post-IESG thread) and then Alexey can send it on its way. -MSK --001a114104225ce4ef055c505309 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Thu, Oct 19, 2017 at 8:44 AM, Kurt Andersen <kurta@dr= kurt.com> wrote:
On Thu, Oct 19, 20= 17 at 12:35 AM, Murray S. Kucherawy <superuser@gmail.com> = wrote:

I see Ben's po= int, and "MUST be able to..." sounds reasonable to me.=C2=A0 I th= ink this also addresses Jari's GEN-ART point (to which Mirja alluded), = and his "MUST implement" suggestion also seems reasonable to me.<= /div>

What does the WG prefer?

"MUS= T be able to" seems to capture the intent.

I concur (as an individual).

And as chair, = I'd say this small issue probably has consensus, so Scott, please make = this tweak and resubmit (modulo the other post-IESG thread) and then Alexey= can send it on its way.

-MSK
--001a114104225ce4ef055c505309-- From nobody Tue Oct 24 12:58:15 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 188A413F83C for ; Tue, 24 Oct 2017 12:58:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.698 X-Spam-Level: X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DPIgMUB1lYSw for ; Tue, 24 Oct 2017 12:58:12 -0700 (PDT) Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60AAF13A039 for ; Tue, 24 Oct 2017 12:58:12 -0700 (PDT) Received: by mail-qk0-x22b.google.com with SMTP id w134so27843998qkb.0 for ; Tue, 24 Oct 2017 12:58:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/9aZGNFDNz+rtDoutC/0Z2gRZFQGu4U6leLLkZqvPac=; b=aYKGhMZysAFpUR0LFHOEgDU3UChrezXWwb94nxyi8+iEDaYy3XRsBiyUZKo3RxfpCG w5ifjz7qRh5jnvKecpPKa9o8oU/P7QsfTNLi4Rg4ns/e+1nxkqEPhPWLPSXxRKY5kJaa 0hYBEMEBPs9rCemCAVDTy6frB8V/kLWyd0QNBWHNvrnyx7dFB+IvrhJBtwsTA/Kj7CV3 pyKQ/8WqXhOfdP6Tcj0874imC1F8B6tHatwzBHV8OTPj3Wvqu3bWuMwg34tqNOr0VHa+ x2opuhziwLy8h/So44Zx0S65YecDlIDf9/34j0F7O4WAgoZUIIPMo3p0STIW/Smm+Wvz Cuvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/9aZGNFDNz+rtDoutC/0Z2gRZFQGu4U6leLLkZqvPac=; b=NrB0NeQp4AsotvQ32WPSd8jHi9TR7K57dN6e6XqO0xNl2fVwtZdfe8nxHs74XPSZ6e DHjULpEkMHj14ADn+Z5LTX9HVgYYMo6Mn8hxnEXf6tCeq72Q4QJ1CwPjgNqL0Nx3dsgL 1ZKPyzFcEYb8w1weJijASf9jw23x6JuVhznqmsOImCHw2wyH8WmP4SqAn3p1ZjibWy5a pijQSERQE7OlE21bugH6WjDwWGNf0xmkf6ou/xXbka0yxetKcWXiIEofb1bbjrEpxNgo 1oJtnSc//PVJfh0iTEKquu0a57fXwask19ZwaOFvKd1rYCpHQ/Xu6o614pcILuP/Wy1+ g5Kw== X-Gm-Message-State: AMCzsaXP7VRa8DnbP2Q7a+DVSfr72kKSuq5t0aze7iZqmdWQtJiDhlL4 +f/fXf0ZmrPV4TztSejTw39fDRy2maOFJ9iTAmUVgg== X-Google-Smtp-Source: ABhQp+RCOBBWoKjXvSAF+ekynaDLlQXJzbkivjCO6wqmwto3/uDD+KyD6WKiiGkbPzXjx6WsESMmaN7rqmZo/uKSUJI= X-Received: by 10.55.108.135 with SMTP id h129mr26055170qkc.111.1508875091351; Tue, 24 Oct 2017 12:58:11 -0700 (PDT) MIME-Version: 1.0 Received: by 10.200.40.115 with HTTP; Tue, 24 Oct 2017 12:58:10 -0700 (PDT) In-Reply-To: <2E80204C-37D7-4624-BD23-573C386D7899@kitterman.com> References: <150649085207.24995.1867894975380491185.idtracker@ietfa.amsl.com> <2E80204C-37D7-4624-BD23-573C386D7899@kitterman.com> From: "Murray S. Kucherawy" Date: Tue, 24 Oct 2017 12:58:10 -0700 Message-ID: To: Scott Kitterman Cc: dcrup@ietf.org Content-Type: multipart/alternative; boundary="001a1148809ad4a029055c505be8" Archived-At: Subject: Re: [Dcrup] Adam Roach's No Objection on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Oct 2017 19:58:14 -0000 --001a1148809ad4a029055c505be8 Content-Type: text/plain; charset="UTF-8" On Thu, Oct 19, 2017 at 3:54 AM, Scott Kitterman wrote: > My assumption had been that since there's no valid signature with > rsa-sha1, there's nothing to even consider putting in an A-R header field. > > I think the only result that can go in this case is None. I hadn't > thought we'd need to say that, but I guess maybe we do. > I think "policy" is the right way to go. There's nothing technically wrong with an rsa-sha1 signature, but you're deciding not to accept it. It's the same as you deciding you're not going to accept a perfectly valid rsa-sha256 signature on a message simply because that signature didn't include the Subject field. -MSK --001a1148809ad4a029055c505be8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Thu, Oct 19, 2017 at 3:54 AM, Scott Kitterman <skli= st@kitterman.com> wrote:
My assumption had been = that since there's no valid signature with rsa-sha1, there's nothin= g to even consider putting in an A-R header field.

I think the only result that can go in this case is None.=C2=A0 I hadn'= t thought we'd need to say that, but I guess maybe we do.

I think "policy" is the right way to go.= =C2=A0 There's nothing technically wrong with an rsa-sha1 signature, bu= t you're deciding not to accept it.=C2=A0 It's the same as you deci= ding you're not going to accept a perfectly valid rsa-sha256 signature = on a message simply because that signature didn't include the Subject f= ield.

-MSK
--001a1148809ad4a029055c505be8-- From nobody Tue Oct 24 13:04:03 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6DA113B482 for ; Tue, 24 Oct 2017 13:04:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.698 X-Spam-Level: X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id llGYranD46G4 for ; Tue, 24 Oct 2017 13:03:59 -0700 (PDT) Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E058139938 for ; Tue, 24 Oct 2017 13:03:59 -0700 (PDT) Received: by mail-qk0-x236.google.com with SMTP id b15so27839134qkg.9 for ; Tue, 24 Oct 2017 13:03:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=CZNxSyx1NobsgeztxVKAKHBeqV3iRnya4AeZq+BGvVo=; b=gPCkJULPdXjp7BMMhSibNacFiObECKYX7yiBrmPvu/8y0ZAHeHPbmAau6xw6Sy5sm9 jFUbswaw8yehFzbf3gHpEX8DLtyzHe+6eu3LzDe1Syl6WkR02zrJBqnzn8IlE6D/CZ2t JbLSz+vm49VwKo3ewRULdrnLPog2VIf/fI3DltEWDfXXt/pZz3fAyqK85mKibgy9CJo0 wYXPFNoI+NhzxxTdFUUTcNUnDiN41sqT0a1CFITS2b65Px9mlqjjhm7X+ZkdZBXO6xNM DtZEEROT0X84BGBzvNqmxG1BTG/f95xGLXVKULcWSPsrPQd1jIq5ffQQtbAiB/B71OTW 8EWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=CZNxSyx1NobsgeztxVKAKHBeqV3iRnya4AeZq+BGvVo=; b=rkVHcvX3GqC7GVV5ey/iGDnQiDk+w0JFQ97VoLRRiAWTX7z9juClthq3dh79bCthBZ /zaN5scCQddyPW+cBMSZ1XkqTGHcRonMNC+UGRzjNmHaZc/3/zbiteOMuyUqLxVgsheA cl5cMqvOa4F/QWuJqANc4/ZgCSWPXbQs5kJaLoU4HvAbRdf9uA6VDIjPZ7tRPQhxUYLS tw+2ryj9QTDAozXQevViH5FJu1WmvEwSfGg4aqqN+N1osU2Qjztrx1i/qA56VGqqMbgA 1LcjZPfxokozCpSpZYlZQ+tXN4HjccYZPoR1IWTUZ7CwZTzPaBpLba1ecDyPzFv2SJ8Y 3elg== X-Gm-Message-State: AMCzsaWvI69SdJbldOY9OjztBW9ocXrGwn3C+2hRIlgRZTgKeENEVgyg lELezsgkzH1zl+bzVU6RcBsG54pxRv2Z+XjpBuyaxQ== X-Google-Smtp-Source: ABhQp+TuL/uuDdPKthw9VRq2GGjmkktpaoe1yVo/EcOJi414mylfFPFQSi75alrvhldSfSJnX6Etc02lIwGIi1G/5e4= X-Received: by 10.55.179.196 with SMTP id c187mr141039qkf.249.1508875438277; Tue, 24 Oct 2017 13:03:58 -0700 (PDT) MIME-Version: 1.0 Received: by 10.200.40.115 with HTTP; Tue, 24 Oct 2017 13:03:57 -0700 (PDT) In-Reply-To: References: <150649085207.24995.1867894975380491185.idtracker@ietfa.amsl.com> <2E80204C-37D7-4624-BD23-573C386D7899@kitterman.com> From: "Murray S. Kucherawy" Date: Tue, 24 Oct 2017 13:03:57 -0700 Message-ID: To: Scott Kitterman Cc: dcrup@ietf.org Content-Type: multipart/alternative; boundary="94eb2c0628c68248e0055c507083" Archived-At: Subject: Re: [Dcrup] Adam Roach's No Objection on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Oct 2017 20:04:01 -0000 --94eb2c0628c68248e0055c507083 Content-Type: text/plain; charset="UTF-8" On Tue, Oct 24, 2017 at 12:58 PM, Murray S. Kucherawy wrote: > On Thu, Oct 19, 2017 at 3:54 AM, Scott Kitterman > wrote: > >> My assumption had been that since there's no valid signature with >> rsa-sha1, there's nothing to even consider putting in an A-R header field. >> >> I think the only result that can go in this case is None. I hadn't >> thought we'd need to say that, but I guess maybe we do. >> > > I think "policy" is the right way to go. There's nothing technically > wrong with an rsa-sha1 signature, but you're deciding not to accept it. > It's the same as you deciding you're not going to accept a perfectly valid > rsa-sha256 signature on a message simply because that signature didn't > include the Subject field. > In fact I would claim that by the definitions in Section 2.7.1 of RFC7601, "policy" is the only option. -MSK --94eb2c0628c68248e0055c507083 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Tue, Oct 24, 2017 at 12:58 PM, Murray S. Kucherawy <= superuser@gmail.com> wrote:
On Thu, Oct 19, 2017 at 3:54 AM, Scott Kitterman <sklist@= kitterman.com> wrote:
My= assumption had been that since there's no valid signature with rsa-sha= 1, there's nothing to even consider putting in an A-R header field.

I think the only result that can go in this case is None.=C2=A0 I hadn'= t thought we'd need to say that, but I guess maybe we do.

I think "policy" is the right way t= o go.=C2=A0 There's nothing technically wrong with an rsa-sha1 signatur= e, but you're deciding not to accept it.=C2=A0 It's the same as you= deciding you're not going to accept a perfectly valid rsa-sha256 signa= ture on a message simply because that signature didn't include the Subj= ect field.

In fact = I would claim that by the definitions in Section 2.7.1 of RFC7601, "po= licy" is the only option.

-MSK
--94eb2c0628c68248e0055c507083-- From nobody Tue Oct 24 13:06:01 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 218A713B482 for ; Tue, 24 Oct 2017 13:05:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.585 X-Spam-Level: X-Spam-Status: No, score=-0.585 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pPmGORsoKaE7 for ; Tue, 24 Oct 2017 13:05:57 -0700 (PDT) Received: from mail-qt0-x22f.google.com (mail-qt0-x22f.google.com [IPv6:2607:f8b0:400d:c0d::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4A441394FB for ; Tue, 24 Oct 2017 13:05:57 -0700 (PDT) Received: by mail-qt0-x22f.google.com with SMTP id 8so32079309qtv.1 for ; Tue, 24 Oct 2017 13:05:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=6V56vk5fL1RgTM1XcoAkKit/5ISEIE6x7CFA2wTEZGc=; b=Jqs4r4OVM4YMxBFRuF1q9Q8N67rLe+GLVyaYeYxzjUQ3vYZSvSkE5dBxz8VDYdjnI8 ln7xpXspwprAJWXbZGt+J4en4gUdSkMz5jLyGVeMmk68GadWRbybUGfUAlOhMOD1XoMV zJNZZMSyDezEUiE7lt2g5u0jC5eKMamUTGAKw4nZi2TOqIwWpdW59+cHnYLxp3MXcXb4 oQ/sqDbBHZRdUCSQhvsRMb6P7/gP38j9dm8/eXE/OhIV2/gzjq7+RknkH/QN4spzdnx4 TUY8nwtMVhi9EOr8u3OKglgaPU9aJELwRWXFX5i0N3sJ5mOVSpqs/lMWDZsOav7Ay4j2 ZHdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=6V56vk5fL1RgTM1XcoAkKit/5ISEIE6x7CFA2wTEZGc=; b=DkvJVjisaRwCvcMRdoSlBNcFQCePtTeWn1m/IjedkvmjGlhrq6BmRQIvZWsaoQZAya J41v6zXENxH5zoZcKhLfVv8S8mSXFuFRpQ1ZjrfNfEHfWd6I6siPLruIpUjnKoQ/PhJM Mo4g9snjcgNk8Bl97RfJIBGZicvXOQD5Mwdq+X995aJ87xu86xoDxwrDz27/bmSCxZ2l Bc0KRbzODIv2RK6U1VW6151bXSpw+7AkVr/OvuAUsH1kwrlAm9gLJmEl474LNG+uSRvn CwmYM2q2KeX8iFAHrh3/1fe6+YndRkUDjV7a1zkNvjGTtXqySO9e1zS2+pPD8ruTSCqG +Rsw== X-Gm-Message-State: AMCzsaUaKXRK+eDN0Ij1vJkQNmkhoDxe//6KYpLUcYLq7fpKfDNoGnVn vMWvlqrNN54hiuoyHcsNRVnK6nBt0/qXawr5mJwy/93ApyE= X-Google-Smtp-Source: ABhQp+QRL51HWUvilUBMoThobgRLP6tTJ7OfIz9nRrqYigT0Ng+paatgxrzFkNsI2EJ2MwG8XiFP2G8gx2M6Xbn7W9Q= X-Received: by 10.237.34.201 with SMTP id q9mr26940935qtc.198.1508875556503; Tue, 24 Oct 2017 13:05:56 -0700 (PDT) MIME-Version: 1.0 Received: by 10.200.28.3 with HTTP; Tue, 24 Oct 2017 13:05:36 -0700 (PDT) In-Reply-To: References: <150649085207.24995.1867894975380491185.idtracker@ietfa.amsl.com> <2E80204C-37D7-4624-BD23-573C386D7899@kitterman.com> From: Seth Blank Date: Tue, 24 Oct 2017 13:05:36 -0700 Message-ID: To: dcrup@ietf.org Content-Type: multipart/alternative; boundary="001a1137b67a8e6a05055c507717" Archived-At: Subject: Re: [Dcrup] Adam Roach's No Objection on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Oct 2017 20:05:59 -0000 --001a1137b67a8e6a05055c507717 Content-Type: text/plain; charset="UTF-8" On Tue, Oct 24, 2017 at 1:03 PM, Murray S. Kucherawy wrote: > > In fact I would claim that by the definitions in Section 2.7.1 of RFC7601, > "policy" is the only option. > I wanted to strongly argue for "fail" over "policy" here - but I concur that within the confines of the current definition of fail in 7601, "policy" is the only option that fits. fail: The message was signed and the signature or signatures were acceptable to the ADMD, but they failed the verification test(s). -- [image: logo for sig file.png] Bringing Trust to Email Seth Blank | Director of Industry Initiatives seth@valimail.com +1-415-894-2724 <415-894-2724> --001a1137b67a8e6a05055c507717 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On T= ue, Oct 24, 2017 at 1:03 PM, Murray S. Kucherawy <superuser@gmail.com> wrote:
In fa= ct I would claim that by the definitions in Section 2.7.1 of RFC7601, "= ;policy" is the only option.

I wanted to strongly argue for "= fail" over "policy" here - but I concur that within the conf= ines of the current definition of fail in 7601, "policy" is the o= nly option that fits.


<= div>--=C2=A0
--001a1137b67a8e6a05055c507717-- From nobody Tue Oct 24 13:12:38 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07D77139F73 for ; Tue, 24 Oct 2017 13:12:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.6 X-Spam-Level: X-Spam-Status: No, score=-0.6 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=jhcloos.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6nbxC0bM_hir for ; Tue, 24 Oct 2017 13:12:35 -0700 (PDT) Received: from ore.jhcloos.com (ore.jhcloos.com [IPv6:2604:2880::b24d:a297]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49086132055 for ; Tue, 24 Oct 2017 13:12:35 -0700 (PDT) Received: by ore.jhcloos.com (Postfix, from userid 10) id 2886F1E1C5; Tue, 24 Oct 2017 20:12:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhcloos.com; s=ore17; t=1508875954; bh=nl55tcTSe+O/OMCIJsdqypE74Z3Ssr5lw7EMKwW6G6M=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=bb4zJ4akThQhJhLMB/z5ywKmXqPtkKPprmlNZ8nb8eHpnHEKU/N/e7SeWanPYkDJY 2zQ83PwyHDyOXBXJl7aFjsHoNMpYv7tm/mnHBc+WfLDwc3RFrZcNQBofvK++Ftvfnk wdwDZeIwAIpHz2ICIUx/WmL95X01LQQ6MCUI9MUTNtGjCs6OwMQmZqS6fc3xxVs/tO q7ad3bTPDNQ6xUO9tkIjb55a4Y+WcAX0/WyRbGX+zFvErBuo4TwnI1J+KMxcXo1chK IVPLt+XxKrDdmfjxsk7ovVU7PCQWeAod+KttE7rQiS8lbsU+ARmnD7Vz66kGwwbPzy 0XjtWygP1Us1w== Received: by carbon.jhcloos.org (Postfix, from userid 500) id 7B7D110BC83E1; Tue, 24 Oct 2017 20:12:27 +0000 (UTC) From: James Cloos To: "John R Levine" Cc: dcrup@ietf.org In-Reply-To: (John R. Levine's message of "23 Oct 2017 17:25:21 -0400") References: <20171021164630.90725.qmail@ary.lan> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.60 (gnu/linux) Face: iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAgMAAABinRfyAAAACVBMVEX///8ZGXBQKKnCrDQ3 AAAAJElEQVQImWNgQAAXzwQg4SKASgAlXIEEiwsSIYBEcLaAtMEAADJnB+kKcKioAAAAAElFTkSu QmCC Copyright: Copyright 2017 James Cloos OpenPGP: 0x997A9F17ED7DAEA6; url=https://jhcloos.com/public_key/0x997A9F17ED7DAEA6.asc OpenPGP-Fingerprint: E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6 Date: Tue, 24 Oct 2017 16:12:27 -0400 Message-ID: Lines: 10 MIME-Version: 1.0 Content-Type: text/plain Archived-At: Subject: Re: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Oct 2017 20:12:37 -0000 >>>>> "JRL" == John R Levine writes: JRL> When a() and b() are existing, debugged, documented code, and c() is JRL> not, it happens all the time. But c() is eddsa(), so you can't call it undebugged or undocumented. -JimC -- James Cloos OpenPGP: 0x997A9F17ED7DAEA6 From nobody Tue Oct 24 13:30:11 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC082139938 for ; Tue, 24 Oct 2017 13:30:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=d3MIqgap; dkim=pass (1536-bit key) header.d=taugh.com header.b=hArZJ03G Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lyP63C7f30D0 for ; Tue, 24 Oct 2017 13:30:08 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08A7B132055 for ; Tue, 24 Oct 2017 13:30:07 -0700 (PDT) Received: (qmail 41550 invoked from network); 24 Oct 2017 20:30:07 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=a24c.59efa2cf.k1710; bh=/S/K1OxT5zAyD9SgN0MiCnWar1rDnt26Exb4ywr3RBk=; b=d3MIqgapco9fuuFYENHRmS61L3Yu4fXhwTpICugSs2gmKu+JU6Cr5x2suNzMi76R7sFiotYJNzlX18JQjPNj0tIVEX6/Q6/mkhHV4Q5N1HpTp9mktWI2Xtr/A89g06NhfT2AXyKnD1oBt0S3w1+SQJEOZGuhrZR2pzk753QABa2uNJiwz/T7tQq7OgtHnNyPJ9EDvJWigNrI73r8s924SpIYrSHjgH8NJCh2tN8eR2Dl1DjVwwTWMxWtxwqoDU8u DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=a24c.59efa2cf.k1710; bh=/S/K1OxT5zAyD9SgN0MiCnWar1rDnt26Exb4ywr3RBk=; b=hArZJ03GAkAb5/nw3k5zdhUoDLKI6dc/65NLtmVpdgiMlUsBn51DvWiYoWCBYfXn+dOk2b3PCc/v7SJCqHyKBZVRJLmc0P3BU8+ONWjCVZ7HcjowMRJdqzjJQbjVeIFWV/qF/Bz25Ubtv7+RLJ5XKB9JKD3Bx1+ZQo6gRYx7ZAwD5wUlq8nuqEv7UbGNy0RIleRU5tC7ARkn3fm67b6HloWaLkj3Df5gmw2GmyiiFSEnqUf1aJdY7UAz2JB40Q9E Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 24 Oct 2017 20:30:06 -0000 Date: 24 Oct 2017 16:30:06 -0400 Message-ID: From: "John R Levine" To: "James Cloos" Cc: dcrup@ietf.org In-Reply-To: References: <20171021164630.90725.qmail@ary.lan> User-Agent: Alpine 2.21 (OSX 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Oct 2017 20:30:10 -0000 > JRL> When a() and b() are existing, debugged, documented code, and c() is > JRL> not, it happens all the time. > > But c() is eddsa(), so you can't call it undebugged or undocumented. Sorry, this is hopeless. If it's not self-evident why we want to use existing DKIM routines that produce a short fixed-length hash rather than tearing the libraries apart to invent new interfaces that produce variable length text, potentially very long text so it'd need some kind of coroutine to produce it in chunks, I don't think I can help. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly From nobody Tue Oct 24 13:48:47 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 180961394F2 for ; Tue, 24 Oct 2017 13:48:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.698 X-Spam-Level: X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EF8ILwjpCBBk for ; Tue, 24 Oct 2017 13:48:44 -0700 (PDT) Received: from mail-qk0-x229.google.com (mail-qk0-x229.google.com [IPv6:2607:f8b0:400d:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 910941390EE for ; Tue, 24 Oct 2017 13:48:44 -0700 (PDT) Received: by mail-qk0-x229.google.com with SMTP id k123so28018596qke.3 for ; Tue, 24 Oct 2017 13:48:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4dF173C5OZYCJjs5sSgcG9lfEgLGnVsh/1Wmqt7TpZA=; b=QUOtMFNNVSH6GKtpgEx2+IpBV5GBub6+/S030mUcvCevuwbrfgfnsuV/hGhhqB5n9h QuOtzwR2jjv/S6KT1d2r5Z2lBzng9DbADdr/iGnXdqliKIprGAmJ7srrmNq39VMlFIMl rzIkQzNiRkegjjEjMqpXiTP77isja36gu6UpCM6MFf6DCL/iW3ITsfdLWcPIFyB+nRGp wwHaZnf6+gSBcCmtDnk2Jp77YptfxwIa4ZIEDEt8V0mV7VKOFsDuiOqljkMHf3CvfIkI 4s8nxEOaD3D3LoZswMgA4WWYttLZ7zuggzJu5NaNBc+7Ingzrk9Pp22z9Fy7bfPTzt9s DMfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=4dF173C5OZYCJjs5sSgcG9lfEgLGnVsh/1Wmqt7TpZA=; b=U4DBPkLKmsyE+4lzmvSC/KyeMXa3nnB3E95ZkXtTqv9H1/FkEzwtX8G2fczBr1haBr sezyWl/OptgnvwpumlyZQ7YC7M2zwCBrDOeNe+GiY1xP+baV+xu1tujNY4pxBllY+X5/ qQY8RAcv7kE8ScEpTraTXAqbO1SrHRbXl1p/gDTpdzOdsp83PAL7IPuB+lP6dwlcbQ/h E2hYALoV//oa3s4yAFrhCIzCCwPotzBxGjSrL0+dVRhRGVLEwuBeZ3SiACqz7GdEZj8s a74Scx9IEoc5/mTCQ+GG32LHKTreGUt09ykHbxVR0GGavZuzVbOs84mej7neTylDbRvy EJvw== X-Gm-Message-State: AMCzsaVBEkD9D+0MWg5Ui6bDp4E+Lys1aAn88z9bScelSSBdUlXKW1KJ uD1ZZnpdFemCtcY8J7yf2SFcksRlM3fD0U3N7nMdHA== X-Google-Smtp-Source: ABhQp+R4YXccyOmHnChRz98QNfzJ24+4KG46IAwrL9icTOaATMHskm9qEZRmQgk1W6DFbtakvrNz3Pvs7AzRiy6aQkY= X-Received: by 10.55.108.68 with SMTP id h65mr25996702qkc.13.1508878123591; Tue, 24 Oct 2017 13:48:43 -0700 (PDT) MIME-Version: 1.0 Received: by 10.200.40.115 with HTTP; Tue, 24 Oct 2017 13:48:43 -0700 (PDT) In-Reply-To: References: <150649085207.24995.1867894975380491185.idtracker@ietfa.amsl.com> <2E80204C-37D7-4624-BD23-573C386D7899@kitterman.com> From: "Murray S. Kucherawy" Date: Tue, 24 Oct 2017 13:48:43 -0700 Message-ID: To: Seth Blank Cc: dcrup@ietf.org Content-Type: multipart/alternative; boundary="001a114feeb690ee86055c5110d7" Archived-At: Subject: Re: [Dcrup] Adam Roach's No Objection on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Oct 2017 20:48:46 -0000 --001a114feeb690ee86055c5110d7 Content-Type: text/plain; charset="UTF-8" On Tue, Oct 24, 2017 at 1:05 PM, Seth Blank wrote: > On Tue, Oct 24, 2017 at 1:03 PM, Murray S. Kucherawy > wrote: >> >> In fact I would claim that by the definitions in Section 2.7.1 of >> RFC7601, "policy" is the only option. >> > > I wanted to strongly argue for "fail" over "policy" here - but I concur > that within the confines of the current definition of fail in 7601, > "policy" is the only option that fits. > > fail: The message was signed and the signature or signatures were > acceptable to the ADMD, but they failed the verification test(s). > What about "permerror"? -MSK --001a114feeb690ee86055c5110d7 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Tue, Oct 24, 2017 at 1:05 PM, Seth Blank <seth@valimai= l.com> wrote:
On Tue, Oct 24, 2017 = at 1:03 PM, Murray S. Kucherawy <superuser@gmail.com> wrot= e:
In fact I would claim = that by the definitions in Section 2.7.1 of RFC7601, "policy" is = the only option.

I wanted to strongly argue for "fail"= over "policy" here - but I concur that within the confines of th= e current definition of fail in 7601, "policy" is the only option= that fits.

=C2=A0 =C2=A0fail:=C2=A0 The message was signed and the signatur= e or signatures were
=C2=A0 =C2=A0 =C2=A0 acceptable to the ADMD,= but they failed the verification test(s).

What about "permerror"?

-MSK
<= /div> --001a114feeb690ee86055c5110d7-- From nobody Tue Oct 24 13:52:34 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AD551394F2 for ; Tue, 24 Oct 2017 13:52:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.585 X-Spam-Level: X-Spam-Status: No, score=-0.585 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oqbn7w0-Zcxc for ; Tue, 24 Oct 2017 13:52:29 -0700 (PDT) Received: from mail-qt0-x235.google.com (mail-qt0-x235.google.com [IPv6:2607:f8b0:400d:c0d::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0152413F846 for ; Tue, 24 Oct 2017 13:52:24 -0700 (PDT) Received: by mail-qt0-x235.google.com with SMTP id f8so32209769qta.5 for ; Tue, 24 Oct 2017 13:52:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=YoJUrt9wVFVTuIQwJDpxFoDigIl/YFDWirQ3oTsi2D8=; b=Ytduxio8jdBMCUvnhYl7Y3XjKo4xFnLzOzWSwC/cDZXrDXPAiJfZ6Fhkrgg9uZyEts edqx5g7HxoXsfGT8sxme7Bq2LPFjYNb0YkUI+xByjW+J7C0aklNL2RzKEssN+2I+JovA rl30gJlcOWKUh0ppt6CDC9dAQKhiFcBo1ceE0ilI4gySPIk+ZNdw0MUJjsqi7a9SwJQ6 SA7r7Lc3DbyBI5QoAP0qqvnSz/agX/7m3fdgYuVeTvBRFHhr7oklmISLHXx/pxF0gncw h07JfBn0xJntgum0dF4RsSxzoQuhyj+d0mCaJvwTPhuCQze1HrkG03aKSzk4+ZFUFzAb gZGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=YoJUrt9wVFVTuIQwJDpxFoDigIl/YFDWirQ3oTsi2D8=; b=LLL1VaQ6BMqUhJ+yw6YyjQwkfKCub/pZZlR+CjbD2SIoNaRmzwoABW3gMBO4KEECfZ pWC5DSvsP7tNqnn4cJi8LWvSU2RxdsreEjW3YkMc6e/pdRdT4ZLiMBnMhMMfAc3Xgkus NztCqca0VUyjlccQxNiVdGzm7Ix5BOD/NJXWseiYC9ZW+D9iVULercL/mgl1xZ0kWucs RTJxf5mQ6jdexGqv/PCTRek4ke1lzQVqzW93ka/NZKknCD39B0JhdOES8sR6nTZeeYU6 quaT4zdfHSaY+F6xyyo5zg1jNy9LgV+iVKL8TJKhQZyw+FGU04B3QQP1lNrlvAYwI9r9 8bFA== X-Gm-Message-State: AMCzsaXoSShUzNja3+/RDVl9mljkQ4Z3IItChWTECrAdY9QGgKFHf8yq HrivAT4jAzM1DI5RgRXyUfbJGBnhvHFJTvAD8pQJMRTliz0= X-Google-Smtp-Source: ABhQp+SYipoonCBJTBH1eTwbT/Z1H8sRr8OdRBzYqPicemBYUvIEb9OD6EUCQkSj8FPRU8/gGfZlfmMXNnG+ygSGTd4= X-Received: by 10.237.60.3 with SMTP id t3mr25742020qte.138.1508878343901; Tue, 24 Oct 2017 13:52:23 -0700 (PDT) MIME-Version: 1.0 Received: by 10.200.28.3 with HTTP; Tue, 24 Oct 2017 13:52:03 -0700 (PDT) In-Reply-To: References: <150649085207.24995.1867894975380491185.idtracker@ietfa.amsl.com> <2E80204C-37D7-4624-BD23-573C386D7899@kitterman.com> From: Seth Blank Date: Tue, 24 Oct 2017 13:52:03 -0700 Message-ID: To: dcrup@ietf.org Content-Type: multipart/alternative; boundary="94eb2c0e61dab2a525055c511d50" Archived-At: Subject: Re: [Dcrup] Adam Roach's No Objection on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Oct 2017 20:52:31 -0000 --94eb2c0e61dab2a525055c511d50 Content-Type: text/plain; charset="UTF-8" On Tue, Oct 24, 2017 at 1:48 PM, Murray S. Kucherawy wrote: > > What about "permerror"? > permerror: The message could not be verified due to some error that is unrecoverable, such as a required header field being absent. A later attempt is unlikely to produce a final result. Yes, that's much better. -- [image: logo for sig file.png] Bringing Trust to Email Seth Blank | Director of Industry Initiatives seth@valimail.com +1-415-894-2724 <415-894-2724> --94eb2c0e61dab2a525055c511d50 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
--94eb2c0e61dab2a525055c511d50-- From nobody Tue Oct 24 15:54:29 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6A1C13A7E0 for ; Tue, 24 Oct 2017 15:54:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B15Si0FN3pxI for ; Tue, 24 Oct 2017 15:54:25 -0700 (PDT) Received: from mail-lf0-x229.google.com (mail-lf0-x229.google.com [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1051913A658 for ; Tue, 24 Oct 2017 15:54:24 -0700 (PDT) Received: by mail-lf0-x229.google.com with SMTP id n69so25757427lfn.2 for ; Tue, 24 Oct 2017 15:54:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Tqh0kXJ+ChmQcSXQC+yBx/cFF862Lioot3jclpHF8i8=; b=O1FkjR3tvY9h9ieKKQtANv78i4AjyhdyCLR66D+/10VPyIT3ctd5ZE9apVeVd35Pi9 YLLUAN6Xtx3JuQgP1b/eVjR8UYo0xgB1YLCax3todYsQwZwhZeouvOB7cPUpTaj2iIJB TEP3XSkciFOdDbHCuNPpDCeVH/LqMbr7UojdtyNsYDsvxEAeWG9T8nbJh9kB6AmDYreI NOZ/VAO3KyYfOnrbTQwNDoDpPOjuUR6/+PaskVqp6Dv5Url5sRcuEplSLlplHZ6FMxyZ /uowkWWyO3P/vx4D1QXliHgICtOG44X+9NL0z3TPOCGHMrBIBfRN2VkqMYHPxA/cMD89 X7Lw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Tqh0kXJ+ChmQcSXQC+yBx/cFF862Lioot3jclpHF8i8=; b=FCaQj5MzpfNYLKETZFjUyHux5ZGcwBoLeX+ieTm4UEEOLY63ygi+nixnHWR0L7JQGQ xY4gNA5BZBNJ1VjKkbASbZm8C9p6jEeFsmTSxOEKXLJPSC+QjTTwnJHgzLc4G9OVFfR1 93Xh8mlkzeIUG1mntXj7pbZM3QzM8C57UlOeFmtrFmbF3wrKi2Xe2MHT6MWYSFAr1EAg TRMOuijYiUDD5INGk3akWb1snTE2y01pcaNTnjKtC2eM2bJTljqVfsiyYLUh6ljjiYvr a+QBm8upypdsk+cu8z3RYWF/jjRm/H1dHc6f8pzrxVFIVJHgvLZ4nsI7gly3OMGtv19E c6EA== X-Gm-Message-State: AMCzsaVRULOcL7U5P6sHnxm7xix4vsfhYR4OhzcRzVtb1QA8i+VGaAx4 vDtXyNjFPOyW+QHfOdQO/3ZmfRg1caKSiWAglgc= X-Google-Smtp-Source: ABhQp+R0KtqPhH2ooLn67VCe1nzxgArB85yoROG2fey5JTiXvdZlFVLFkKuwc3N0bgoq9AfAILbAPYv+GIndD2vXSiA= X-Received: by 10.25.170.138 with SMTP id t132mr6693113lfe.88.1508885663102; Tue, 24 Oct 2017 15:54:23 -0700 (PDT) MIME-Version: 1.0 Received: by 10.179.2.161 with HTTP; Tue, 24 Oct 2017 15:54:22 -0700 (PDT) In-Reply-To: References: <20171021164630.90725.qmail@ary.lan> From: denis bider Date: Tue, 24 Oct 2017 17:54:22 -0500 Message-ID: To: John R Levine Cc: James Cloos , dcrup@ietf.org Content-Type: multipart/alternative; boundary="001a11411c3cf4bfce055c52d156" Archived-At: Subject: Re: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Oct 2017 22:54:27 -0000 --001a11411c3cf4bfce055c52d156 Content-Type: text/plain; charset="UTF-8" I'd like to support John Levine here with a +1. Just because "c" is EdDSA, doesn't mean it can be easily pulled into existing implementations. Doing c() instead of a(b()) complicated implementation by an order of magnitude for the savings of one hash. On Tue, Oct 24, 2017 at 3:30 PM, John R Levine wrote: > JRL> When a() and b() are existing, debugged, documented code, and c() is >> JRL> not, it happens all the time. >> >> But c() is eddsa(), so you can't call it undebugged or undocumented. >> > > Sorry, this is hopeless. If it's not self-evident why we want to use > existing DKIM routines that produce a short fixed-length hash rather than > tearing the libraries apart to invent new interfaces that produce variable > length text, potentially very long text so it'd need some kind of coroutine > to produce it in chunks, I don't think I can help. > > Regards, > John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY > Please consider the environment before reading this e-mail. https://jl.ly > > _______________________________________________ > Dcrup mailing list > Dcrup@ietf.org > https://www.ietf.org/mailman/listinfo/dcrup > --001a11411c3cf4bfce055c52d156 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I'd like to support John Levine here with a +1. Just b= ecause "c" is EdDSA, doesn't mean it can be easily pulled int= o existing implementations. Doing c() instead of a(b()) complicated impleme= ntation by an order of magnitude for the savings of one hash.

On Tue, Oct 24, 2017 at 3= :30 PM, John R Levine <johnl@taugh.com> wrote:
JRL> When a() and b() are existing, debugged, documented code, and c() i= s
JRL> not, it happens all the time.

But c() is eddsa(), so you can't call it undebugged or undocumented.

Sorry, this is hopeless.=C2=A0 If it's not self-evident why we want to = use existing DKIM routines that produce a short fixed-length hash rather th= an tearing the libraries apart to invent new interfaces that produce variab= le length text, potentially very long text so it'd need some kind of co= routine to produce it in chunks, I don't think I can help.

Regards,
John Levine, johnl@tau= gh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

_______________________________________________
Dcrup mailing list
Dcrup@ietf.org
https://www.ietf.org/mailman/listinfo/dcrup

--001a11411c3cf4bfce055c52d156-- From nobody Tue Oct 24 16:35:29 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FC2F13A441 for ; Tue, 24 Oct 2017 16:35:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QEzpIb7qKPIK for ; Tue, 24 Oct 2017 16:35:25 -0700 (PDT) Received: from mail-lf0-x22f.google.com (mail-lf0-x22f.google.com [IPv6:2a00:1450:4010:c07::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70C25139605 for ; Tue, 24 Oct 2017 16:35:25 -0700 (PDT) Received: by mail-lf0-x22f.google.com with SMTP id a132so25818723lfa.7 for ; Tue, 24 Oct 2017 16:35:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=hm31MkmPmS9bsyXPqH5l7vNortyhaooxzrQiBjQjlGU=; b=BozCx20smVMTNMo0lG6tWYcy/T1VBX8aoBeWTQ3uZ06AmqWpTKa/7ZnXcOhMFy8hGY WYDn2Q5bKxoeBRkaAwfZIwI1Sg6FwMMR+yp5zb6iXeT9x4FnrgaWiL+LdjVmEO8VUiwu jf5PQpfG8OWl0oP2gNDzd3R0UEP9tHZNOBUHY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=hm31MkmPmS9bsyXPqH5l7vNortyhaooxzrQiBjQjlGU=; b=dmUDy5A4Zkr1zsRYFwKneCjwuo3t4dnhFSbFii0MU7o2Oq64HCgFX4674XE8kWAGkd NsoO9pLKNozhrkCPG1JPBeFfc9ko2v1iz9u8wccirNX6AunwHEO1gahzwQuGxZ+E8721 rhkCLMFuQG0flLmdDHzD16hLRVzggQuIJKSj6lDLKWvConPUrcu+4qZxbHUBjOfg5Jb1 fcaTRLsCVYzh7guCn9Pxz3bORkgZMr7HBkq7NPeBfX8T3rM7BCthFFXLVJXDPzBxgl7O FHO0RPE719JufqfRIYusdVhnyfgbMkZnRwQTlNWyDxwKkHkjGmAiSMdiJLHG2Y/nEbwK vDlw== X-Gm-Message-State: AMCzsaXuPIrq7JoCUTYf8LvDHV4Et0hgE6llSApHr78Md195eOLiHeUS EIhKfW5Qmk9rqK/EZCYUksEpaLRnDE5mrcWAe3uGaOaW X-Google-Smtp-Source: ABhQp+QuHwJTtVp9KIZCQMvQHH9fWdcg/bPh9jj2qKw19a4yq0c78uNAMLFUqcPUx1bnxZyDqZJKl4rwqSJiq1JauWU= X-Received: by 10.46.87.12 with SMTP id l12mr7659823ljb.44.1508888123538; Tue, 24 Oct 2017 16:35:23 -0700 (PDT) MIME-Version: 1.0 Received: by 10.25.158.77 with HTTP; Tue, 24 Oct 2017 16:35:22 -0700 (PDT) In-Reply-To: References: <150649085207.24995.1867894975380491185.idtracker@ietfa.amsl.com> <2E80204C-37D7-4624-BD23-573C386D7899@kitterman.com> From: Kurt Andersen Date: Tue, 24 Oct 2017 23:35:22 +0000 Message-ID: To: "Murray S. Kucherawy" Cc: Scott Kitterman , dcrup@ietf.org Content-Type: multipart/alternative; boundary="f403045f8c569c1347055c536427" Archived-At: Subject: Re: [Dcrup] Adam Roach's No Objection on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Oct 2017 23:35:28 -0000 --f403045f8c569c1347055c536427 Content-Type: text/plain; charset="UTF-8" On Tue, Oct 24, 2017 at 8:03 PM, Murray S. Kucherawy wrote: > On Tue, Oct 24, 2017 at 12:58 PM, Murray S. Kucherawy > wrote: > >> On Thu, Oct 19, 2017 at 3:54 AM, Scott Kitterman >> wrote: >> >>> My assumption had been that since there's no valid signature with >>> rsa-sha1, there's nothing to even consider putting in an A-R header field. >>> >>> I think the only result that can go in this case is None. I hadn't >>> thought we'd need to say that, but I guess maybe we do. >>> >> >> I think "policy" is the right way to go. There's nothing technically >> wrong with an rsa-sha1 signature, but you're deciding not to accept it. >> It's the same as you deciding you're not going to accept a perfectly valid >> rsa-sha256 signature on a message simply because that signature didn't >> include the Subject field. >> > > In fact I would claim that by the definitions in Section 2.7.1 of RFC7601, > "policy" is the only option. > Are we talking about before or after this group consigns sha1 to the ash heap? Perhaps I'm confused about the sequencing of events that we are discussing. If the original DKIM spec had allowed rsa-md5 and a previous (hypothetical) instance of DCRUP had similarly deprecated MD5, what sort of designation would we expect to be recorded today for such usage? --Kurt --f403045f8c569c1347055c536427 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On T= ue, Oct 24, 2017 at 8:03 PM, Murray S. Kucherawy <superuser@gmail.com> wrote:
On Tue, Oct 24, 2017 at 12:58 PM, Murray S. Kucherawy <supe= ruser@gmail.com> wrote:
=
=
On Thu, Oct 19, 2017 at 3:54 AM, Scott Kitterman <sklist@kitterman.com> wrote:
My a= ssumption had been that since there's no valid signature with rsa-sha1,= there's nothing to even consider putting in an A-R header field.

I think the only result that can go in this case is None.=C2=A0 I hadn'= t thought we'd need to say that, but I guess maybe we do.

I think "policy" is the right way t= o go.=C2=A0 There's nothing technically wrong with an rsa-sha1 signatur= e, but you're deciding not to accept it.=C2=A0 It's the same as you= deciding you're not going to accept a perfectly valid rsa-sha256 signa= ture on a message simply because that signature didn't include the Subj= ect field.

I= n fact I would claim that by the definitions in Section 2.7.1 of RFC7601, &= quot;policy" is the only option.

Are we talking about before or after= this group consigns sha1 to the ash heap? Perhaps I'm confused about t= he sequencing of events that we are discussing. If the original DKIM spec h= ad allowed rsa-md5 and a previous (hypothetical) instance of DCRUP had simi= larly deprecated MD5, what sort of designation would we expect to be record= ed today for such usage?

--Kurt
--f403045f8c569c1347055c536427-- From nobody Tue Oct 24 16:46:34 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1554F139950 for ; Tue, 24 Oct 2017 16:46:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.499 X-Spam-Level: X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fiction.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2U4z3sK0FXGX for ; Tue, 24 Oct 2017 16:46:31 -0700 (PDT) Received: from mail-qt0-x22a.google.com (mail-qt0-x22a.google.com [IPv6:2607:f8b0:400d:c0d::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DA331394E4 for ; Tue, 24 Oct 2017 16:46:31 -0700 (PDT) Received: by mail-qt0-x22a.google.com with SMTP id 8so32696465qtv.1 for ; Tue, 24 Oct 2017 16:46:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fiction.net; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=BkuoZ30lWquHHUXACJFyBj4U/GjCybpchxuMi1co5+I=; b=F53aNyHkQ7WJZjvH7aMIoGsnP1BYUhdqvPjt/++xvXeFIkGBQW1XYEAj5W/cPF6feF hMDE02dLNaK0L/yC28PtvAdlAOrv+XsASxFZwrWt1P9/dbM+55MWw45YjTMzcPF6u5xU 1TwdSEH6XO5l3IyVnQ3kVsve2nMeQxZPIDPX68BWeg2KQxtDqxi2CPktaGJcq6qWBcc7 3IC1UvCHHbA1HOFy2jf77vq/JygYEiaSfxz5ZCNCKVKXCEsegzJcbbW7Nkra+adN8qgI hTjjZUjblTQsB1j36+Ydgl0sScDvhyyURCbLXAz+DlYzxlgUrFYHojc3OtSXA0G80p5J 4/8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=BkuoZ30lWquHHUXACJFyBj4U/GjCybpchxuMi1co5+I=; b=qiTO6Z3CcnTmWGSDcfySn6CNUmy7tCsl69E36mr72bw63OOohdPVxygYIfpS4x5dGm LnGJk86sKeWJ6p2FVnn6VTkKlG+nxr51kcIs+9m8SgUvbTnhtjbVD3kHPvcTfdi/INTi kxtKCSzoQX92QM2p8QkXL2RFiLMxNkipG0b6vPpvayd9NpcmeFnB40QsKJY4bmHOe6OL HQh1h4Y5tBLL6KFoq/J9whi+DUnfZ2YF0a0X1TzRTckpPvbMleJaTfZptc6leAnG29zX +jOXKJch5sGaLaDUEAWbLWKFLpgU+sITts10vurauYmGtESnfekK88rxrbqFEMM0WZHs RF0A== X-Gm-Message-State: AMCzsaXurRxf1Zs54wXFM7wHN0P0fPPwN+z5fXu7H5wWXSNOah8nFMve QHKSdtGmXGvrHb4+nrvfcBhiVsgP X-Google-Smtp-Source: ABhQp+SciR6DiqFf9fOQVqkNLPXJg70Zziwler68FKswWTrGxH+3hp3GsNf5hdTiOJPczPSt6kfrxQ== X-Received: by 10.200.26.15 with SMTP id v15mr6514729qtj.62.1508888790455; Tue, 24 Oct 2017 16:46:30 -0700 (PDT) Received: from mail-qt0-f176.google.com (mail-qt0-f176.google.com. [209.85.216.176]) by smtp.gmail.com with ESMTPSA id o71sm1008476qka.74.2017.10.24.16.46.29 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 24 Oct 2017 16:46:29 -0700 (PDT) Received: by mail-qt0-f176.google.com with SMTP id d9so25877438qtd.7 for ; Tue, 24 Oct 2017 16:46:29 -0700 (PDT) X-Received: by 10.200.34.182 with SMTP id f51mr26584431qta.167.1508888789078; Tue, 24 Oct 2017 16:46:29 -0700 (PDT) MIME-Version: 1.0 Received: by 10.55.101.205 with HTTP; Tue, 24 Oct 2017 16:46:28 -0700 (PDT) In-Reply-To: References: <150649085207.24995.1867894975380491185.idtracker@ietfa.amsl.com> <2E80204C-37D7-4624-BD23-573C386D7899@kitterman.com> From: Brandon Long Date: Tue, 24 Oct 2017 16:46:28 -0700 X-Gmail-Original-Message-ID: Message-ID: To: Kurt Andersen Cc: "Murray S. Kucherawy" , dcrup@ietf.org, Scott Kitterman Content-Type: multipart/alternative; boundary="001a113f476c48003f055c538cc8" Archived-At: Subject: Re: [Dcrup] Adam Roach's No Objection on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Oct 2017 23:46:34 -0000 --001a113f476c48003f055c538cc8 Content-Type: text/plain; charset="UTF-8" On Tue, Oct 24, 2017 at 4:35 PM, Kurt Andersen wrote: > On Tue, Oct 24, 2017 at 8:03 PM, Murray S. Kucherawy > wrote: > >> On Tue, Oct 24, 2017 at 12:58 PM, Murray S. Kucherawy < >> superuser@gmail.com> wrote: >> >>> On Thu, Oct 19, 2017 at 3:54 AM, Scott Kitterman >>> wrote: >>> >>>> My assumption had been that since there's no valid signature with >>>> rsa-sha1, there's nothing to even consider putting in an A-R header field. >>>> >>>> I think the only result that can go in this case is None. I hadn't >>>> thought we'd need to say that, but I guess maybe we do. >>>> >>> >>> I think "policy" is the right way to go. There's nothing technically >>> wrong with an rsa-sha1 signature, but you're deciding not to accept it. >>> It's the same as you deciding you're not going to accept a perfectly valid >>> rsa-sha256 signature on a message simply because that signature didn't >>> include the Subject field. >>> >> >> In fact I would claim that by the definitions in Section 2.7.1 of >> RFC7601, "policy" is the only option. >> > > Are we talking about before or after this group consigns sha1 to the ash > heap? Perhaps I'm confused about the sequencing of events that we are > discussing. If the original DKIM spec had allowed rsa-md5 and a previous > (hypothetical) instance of DCRUP had similarly deprecated MD5, what sort of > designation would we expect to be recorded today for such usage? > This is obviously a bit different, but today google uses policy for keys under 1024 bits. I say "different", because prior to the dcrup work being published, that's our policy choice. After, it's the standard, so permerror might be more appropriate. Brandon --001a113f476c48003f055c538cc8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Tue, Oct 24, 2017 at 4:35 PM, Kurt Andersen <kurta@drkurt.com>= ; wrote:
On Tue, Oct = 24, 2017 at 8:03 PM, Murray S. Kucherawy <superuser@gmail.com> wrote:
On Tue= , Oct 24, 2017 at 12:58 PM, Murray S. Kucherawy <superuser@gmail.com= > wrote:
On Thu,= Oct 19, 2017 at 3:54 AM, Scott Kitterman <sklist@kitterman.com>= wrote:
My assumption had been that since = there's no valid signature with rsa-sha1, there's nothing to even c= onsider putting in an A-R header field.

I think the only result that can go in this case is None.=C2=A0 I hadn'= t thought we'd need to say that, but I guess maybe we do.

I think "policy" is the right way t= o go.=C2=A0 There's nothing technically wrong with an rsa-sha1 signatur= e, but you're deciding not to accept it.=C2=A0 It's the same as you= deciding you're not going to accept a perfectly valid rsa-sha256 signa= ture on a message simply because that signature didn't include the Subj= ect field.

I= n fact I would claim that by the definitions in Section 2.7.1 of RFC7601, &= quot;policy" is the only option.

Are we t= alking about before or after this group consigns sha1 to the ash heap? Perh= aps I'm confused about the sequencing of events that we are discussing.= If the original DKIM spec had allowed rsa-md5 and a previous (hypothetical= ) instance of DCRUP had similarly deprecated MD5, what sort of designation = would we expect to be recorded today for such usage?

This is obviously a bit different, but today google u= ses policy for keys under 1024 bits.=C2=A0 I say "different", bec= ause prior to the dcrup work being published, that's our policy choice.= =C2=A0 After, it's the standard, so permerror might be more appropriate= .

Brandon
--001a113f476c48003f055c538cc8-- From nobody Tue Oct 24 17:12:03 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4056D13A344 for ; Tue, 24 Oct 2017 17:12:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.79 X-Spam-Level: X-Spam-Status: No, score=-1.79 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=kitterman.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yZ6y13wypVeL for ; Tue, 24 Oct 2017 17:12:00 -0700 (PDT) Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [IPv6:2607:f0d0:3001:aa::2]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E81A13A1FA for ; Tue, 24 Oct 2017 17:12:00 -0700 (PDT) Received: from [10.120.45.156] (mobile-166-170-50-249.mycingular.net [166.170.50.249]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 30DCDC4025F; Tue, 24 Oct 2017 19:11:57 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=2001409; t=1508890318; bh=Fr4b2AA5sY2EL1YBhWxAEKalHh6YI9CnlZu+yPGSUNc=; h=Date:In-Reply-To:References:Subject:To:From:From; b=yfX+6QNOktdFfUrb1PX/vEE4urRHeBEh9FtfXJ3pdRXdsXe74TYaqn6T3F3yohQtP Ml1NoMKuWGKjlVkWL4KRZRd6iF5Ajk+FFqw2kGc2aFvHo71GTkfEKZRUgkU7ip0lj1 bJNb985P9JiCvDxCKXcPYFSLGwtvvTPMUpVYy3IE= Date: Wed, 25 Oct 2017 00:11:53 +0000 In-Reply-To: References: <150656461384.13748.13197533071257342162.idtracker@ietfa.amsl.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable To: dcrup@ietf.org From: Scott Kitterman Message-ID: <3193DFB2-23F1-4E7C-BFB9-2EB4DC6B530A@kitterman.com> Archived-At: Subject: Re: [Dcrup] Ben Campbell's Yes on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Oct 2017 00:12:01 -0000 On October 24, 2017 12:55:48 PM PDT, "Murray S=2E Kucherawy" wrote: >On Thu, Oct 19, 2017 at 8:44 AM, Kurt Andersen >wrote: > >> On Thu, Oct 19, 2017 at 12:35 AM, Murray S=2E Kucherawy >> > wrote: >> >>> >>> I see Ben's point, and "MUST be able to=2E=2E=2E" sounds reasonable to= me=2E > I >>> think this also addresses Jari's GEN-ART point (to which Mirja >alluded), >>> and his "MUST implement" suggestion also seems reasonable to me=2E >>> >>> What does the WG prefer? >>> >> >> "MUST be able to" seems to capture the intent=2E >> > >I concur (as an individual)=2E > >And as chair, I'd say this small issue probably has consensus, so >Scott, >please make this tweak and resubmit (modulo the other post-IESG thread) >and >then Alexey can send it on its way=2E > >-MSK Will do once I know what to put in for the other thread=2E Scott K From nobody Tue Oct 24 17:17:06 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E14913F85E for ; Tue, 24 Oct 2017 17:16:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.791 X-Spam-Level: X-Spam-Status: No, score=-1.791 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=kitterman.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XOk8xfWV14l0 for ; Tue, 24 Oct 2017 17:16:51 -0700 (PDT) Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E49813A1FA for ; Tue, 24 Oct 2017 17:16:50 -0700 (PDT) Received: from [10.120.45.156] (mobile-166-170-50-249.mycingular.net [166.170.50.249]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 14EAEC4025F; Tue, 24 Oct 2017 19:16:48 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=2001409; t=1508890609; bh=0hMaHu5wY1V972dNt0tFyeQNSabK9WNEKcJkFGYpb2I=; h=Date:In-Reply-To:References:Subject:To:From:From; b=hllcidGEYKQhUDHbXsNRtFpSbc0DSaGlI80YZ1z3kdNuaY8oq1LTkD8FISEn/+LhL xnTxR6M/hEpsazUT+TI7NBbNeOI7AN3/Ef0FfotpF1+WiTrjfLcMX9mb+PaTBf7Qfo z/W0DWrtSONBmB0EeO75Ic78W4pXJcXWkKVLUZtY= Date: Wed, 25 Oct 2017 00:16:45 +0000 In-Reply-To: References: <20171021164630.90725.qmail@ary.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable To: dcrup@ietf.org From: Scott Kitterman Message-ID: <2FE5DB8C-E468-4F7B-8ADF-52666E02E807@kitterman.com> Archived-At: Subject: Re: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Oct 2017 00:16:58 -0000 Yes=2E Absolutely=2E There are only two realistic choices: HashEdDSA now Wait and see if PureEdDSA gets implementation traction=2E My preference is the first one, but either is incomparably better than inv= enting something new=2E Scott K On October 24, 2017 3:54:22 PM PDT, denis bider wrote: >I'd like to support John Levine here with a +1=2E Just because "c" is >EdDSA, >doesn't mean it can be easily pulled into existing implementations=2E >Doing >c() instead of a(b()) complicated implementation by an order of >magnitude >for the savings of one hash=2E > >On Tue, Oct 24, 2017 at 3:30 PM, John R Levine wrote: > >> JRL> When a() and b() are existing, debugged, documented code, and >c() is >>> JRL> not, it happens all the time=2E >>> >>> But c() is eddsa(), so you can't call it undebugged or undocumented=2E >>> >> >> Sorry, this is hopeless=2E If it's not self-evident why we want to use >> existing DKIM routines that produce a short fixed-length hash rather >than >> tearing the libraries apart to invent new interfaces that produce >variable >> length text, potentially very long text so it'd need some kind of >coroutine >> to produce it in chunks, I don't think I can help=2E >> >> Regards, >> John Levine, johnl@taugh=2Ecom, Taughannock Networks, Trumansburg NY >> Please consider the environment before reading this e-mail=2E >https://jl=2Ely >> >> _______________________________________________ >> Dcrup mailing list >> Dcrup@ietf=2Eorg >> https://www=2Eietf=2Eorg/mailman/listinfo/dcrup >> From nobody Tue Oct 24 17:24:36 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 187A713A25A for ; Tue, 24 Oct 2017 17:24:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.791 X-Spam-Level: X-Spam-Status: No, score=-1.791 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=kitterman.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PqP1hY2RYBja for ; Tue, 24 Oct 2017 17:24:33 -0700 (PDT) Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [IPv6:2607:f0d0:3001:aa::2]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C633C1395ED for ; Tue, 24 Oct 2017 17:24:33 -0700 (PDT) Received: from [10.120.45.156] (mobile-166-170-50-249.mycingular.net [166.170.50.249]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 9250FC4025F; Tue, 24 Oct 2017 19:24:32 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=2001409; t=1508891073; bh=Lay/VpYmdVWlqsOm7F8xPRMxi4KIbubdO31dkd70xVU=; h=Date:In-Reply-To:References:Subject:To:From:From; b=FsIX2lnOCVL7lhkjAl79eLYttcqzsKN3bIq08LPRaBnlPKKcWi54ddcZXvJptTkS8 yUsO3Kd+wR6PUTHIUbc753GhvzX5zOJXZmwJxHnToa00geIzAGfrMHzR4edwcWBHBX 2cwwI3kSz3o5Fufu8n+gdHj7Fmt+2nOpbwqy48Ag= Date: Wed, 25 Oct 2017 00:24:19 +0000 In-Reply-To: References: <150649085207.24995.1867894975380491185.idtracker@ietfa.amsl.com> <2E80204C-37D7-4624-BD23-573C386D7899@kitterman.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable To: dcrup@ietf.org From: Scott Kitterman Message-ID: Archived-At: Subject: Re: [Dcrup] Adam Roach's No Objection on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Oct 2017 00:24:35 -0000 On October 24, 2017 4:46:28 PM PDT, Brandon Long wro= te: >On Tue, Oct 24, 2017 at 4:35 PM, Kurt Andersen >wrote: > >> On Tue, Oct 24, 2017 at 8:03 PM, Murray S=2E Kucherawy > >> wrote: >> >>> On Tue, Oct 24, 2017 at 12:58 PM, Murray S=2E Kucherawy < >>> superuser@gmail=2Ecom> wrote: >>> >>>> On Thu, Oct 19, 2017 at 3:54 AM, Scott Kitterman > >>>> wrote: >>>> >>>>> My assumption had been that since there's no valid signature with >>>>> rsa-sha1, there's nothing to even consider putting in an A-R >header field=2E >>>>> >>>>> I think the only result that can go in this case is None=2E I >hadn't >>>>> thought we'd need to say that, but I guess maybe we do=2E >>>>> >>>> >>>> I think "policy" is the right way to go=2E There's nothing >technically >>>> wrong with an rsa-sha1 signature, but you're deciding not to accept >it=2E >>>> It's the same as you deciding you're not going to accept a >perfectly valid >>>> rsa-sha256 signature on a message simply because that signature >didn't >>>> include the Subject field=2E >>>> >>> >>> In fact I would claim that by the definitions in Section 2=2E7=2E1 of >>> RFC7601, "policy" is the only option=2E >>> >> >> Are we talking about before or after this group consigns sha1 to the >ash >> heap? Perhaps I'm confused about the sequencing of events that we are >> discussing=2E If the original DKIM spec had allowed rsa-md5 and a >previous >> (hypothetical) instance of DCRUP had similarly deprecated MD5, what >sort of >> designation would we expect to be recorded today for such usage? >> > >This is obviously a bit different, but today google uses policy for >keys >under 1024 bits=2E I say "different", because prior to the dcrup work >being >published, that's our policy choice=2E After, it's the standard, so >permerror might be more appropriate=2E > >Brandon I prefer None, but I think permerror is reasonable=2E Policy means local = policy (as you are doing now)=2E Once this is approved, not accepting shor= t keys ( < 1024 ) or rsa-sha1 is not just a local policy call=2E Scott K From nobody Tue Oct 24 21:15:14 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAEB2139203 for ; Tue, 24 Oct 2017 21:15:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pdy2H2E4nIkk for ; Tue, 24 Oct 2017 21:15:07 -0700 (PDT) Received: from mail-qt0-x233.google.com (mail-qt0-x233.google.com [IPv6:2607:f8b0:400d:c0d::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4168D13AF75 for ; Tue, 24 Oct 2017 21:15:07 -0700 (PDT) Received: by mail-qt0-x233.google.com with SMTP id p1so33200116qtg.2 for ; Tue, 24 Oct 2017 21:15:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=OjH6Bf/ACM8yTPsOrND+/8VJTRrxLKDdnj6ex2VsWaI=; b=XEU43MMjXpmKVAwXHOZ8m8DSGwRiASHlf5SuVmmi7Z0U2O0WY7vdQGNZTRcTH5X0MF q7hO83zaK/2HHpzB2bPsKs/TqUswgZoP5pOdcKajUlS0zpCVeeylk1ckrXz/rpzgiSFn IDoE/t3pLd03gsKIhxzbBzhqao8qB5bNiwhJMXhXjy0WkUUvcLAHXuNbv2p4u1E8CJ5B 4A+zPjetmAvpOR6rVas00JeXci7duj6WRQBTTFduOw27q6RRL9m2ZFrnm6yOg46gi+53 E1gNxH1iNVbbjQd50LAGSrCup7R+PGtqhXNbfNJUgqs0XAeLti4SkokMCCYFUzSSWdc3 gpBA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=OjH6Bf/ACM8yTPsOrND+/8VJTRrxLKDdnj6ex2VsWaI=; b=AV+dr2QHV3QtLfKiVf5jnyOklFq+AdRl3z77KqPnyuhY6ITE+E27+2b1sEA/cLXI2N 9SCRtGnWOIwHgYoGLZpMH+i04iiYGU3SOvYP1YNA0QeDWyOldaoZGNS+3YZnLExTPkhd rUPY0WzNgGReumdf1EIYcMbcDc0qf/K3Tc0/MsOx+fPvExRMtRg06VgyZVx0YMHvFEQY aGFR3qn4+gWN0pDfLeQzzW5TTNqJwIYy3NWO3lnrY0F02zcHcEfs8q249IMU7ZWGX+ZT oIEnYQo4n4F/Up7F9vnwJzoYbbjWQXWvKIXMFQeGllEOW3AbJ7A4Pvl0lA6jstLegK1n fH6A== X-Gm-Message-State: AMCzsaUAtyt0ANjGpnMoX8BNIJ2htSrN9jQ5zpziwsMvX5IiNkH+6+pI gbrbcxkH2W7x7/Ds2w0Bihl3Z1XG38AOXVt6TA4= X-Google-Smtp-Source: ABhQp+R9ajR8vN0bwzvOey8PZbsGpfYN2e6jh9rnHRDpbVHtRUjpzC1gdODlHT6Jyityu2KR26qkNfQPQVdv817aIxM= X-Received: by 10.200.40.146 with SMTP id i18mr28317534qti.79.1508904906261; Tue, 24 Oct 2017 21:15:06 -0700 (PDT) MIME-Version: 1.0 Received: by 10.200.40.115 with HTTP; Tue, 24 Oct 2017 21:15:05 -0700 (PDT) In-Reply-To: References: <150649085207.24995.1867894975380491185.idtracker@ietfa.amsl.com> <2E80204C-37D7-4624-BD23-573C386D7899@kitterman.com> From: "Murray S. Kucherawy" Date: Tue, 24 Oct 2017 21:15:05 -0700 Message-ID: To: Kurt Andersen Cc: Scott Kitterman , dcrup@ietf.org Content-Type: multipart/alternative; boundary="001a11403d0af00946055c574c00" Archived-At: Subject: Re: [Dcrup] Adam Roach's No Objection on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Oct 2017 04:15:13 -0000 --001a11403d0af00946055c574c00 Content-Type: text/plain; charset="UTF-8" On Tue, Oct 24, 2017 at 4:35 PM, Kurt Andersen wrote: > In fact I would claim that by the definitions in Section 2.7.1 of RFC7601, >> "policy" is the only option. >> > > Are we talking about before or after this group consigns sha1 to the ash > heap? > Concurrent with. Perhaps I'm confused about the sequencing of events that we are discussing. > If the original DKIM spec had allowed rsa-md5 and a previous (hypothetical) > instance of DCRUP had similarly deprecated MD5, what sort of designation > would we expect to be recorded today for such usage? > The question's never been asked before, so I don't know how to answer that. But I don't think "none" is right unless we also want to contend that a DKIM-Signature field with a syntax error in it also warrants a "none", which I don't believe is the case. -MSK --001a11403d0af00946055c574c00 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Tue, Oct 24, 2017 at 4:35 PM, Kurt Andersen <kurta@dr= kurt.com> wrote:
In fact I would claim that by the definitions in Sec= tion 2.7.1 of RFC7601, "policy" is the only option.

Are we talking about before or after this group consigns s= ha1 to the ash heap?

Concur= rent with.

Perhaps I'm confused about the sequenci= ng of events that we are discussing. If the original DKIM spec had allowed = rsa-md5 and a previous (hypothetical) instance of DCRUP had similarly depre= cated MD5, what sort of designation would we expect to be recorded today fo= r such usage?

The question&= #39;s never been asked before, so I don't know how to answer that.=C2= =A0 But I don't think "none" is right unless we also want to = contend that a DKIM-Signature field with a syntax error in it also warrants= a "none", which I don't believe is the case.
<= br>
-MSK
--001a11403d0af00946055c574c00-- From nobody Tue Oct 24 21:32:14 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2B0513B10F for ; Tue, 24 Oct 2017 21:32:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.791 X-Spam-Level: X-Spam-Status: No, score=-1.791 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=kitterman.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xtpq5tOpDpuk for ; Tue, 24 Oct 2017 21:32:11 -0700 (PDT) Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6620213B0EA for ; Tue, 24 Oct 2017 21:32:11 -0700 (PDT) Received: from kitterma-e6430.localnet (unknown [209.65.111.194]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 2B249C4025F for ; Tue, 24 Oct 2017 23:32:07 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=2001409; t=1508905927; bh=oVOTgb9sUPmQ24pldFcz8t46P7GCUR0FysNJlCtL7K4=; h=From:To:Subject:Date:In-Reply-To:References:From; b=k3sZoWOpxC2et0ADXCwY6qgiM9oqGOFgmfE8b2qYmvmBuBnAKGN2kKm3QWYiz8D1v f/zgENAzk16GXCiiSUW9zqwJ3T/NrCDHD3MSPE875uNztIKg8s57bgq7EH8VrHnxTL LbZJqcR5Tg35wF0d3y+St2Y9/srjPbqN8uM50IPQ= From: Scott Kitterman To: dcrup@ietf.org Date: Wed, 25 Oct 2017 00:32:05 -0400 Message-ID: <1827464.gt1Kil1zhX@kitterma-e6430> User-Agent: KMail/4.13.3 (Linux/3.13.0-133-generic; KDE/4.13.3; x86_64; ; ) In-Reply-To: References: <150649085207.24995.1867894975380491185.idtracker@ietfa.amsl.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Archived-At: Subject: Re: [Dcrup] Adam Roach's No Objection on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Oct 2017 04:32:13 -0000 On Tuesday, October 24, 2017 09:15:05 PM Murray S. Kucherawy wrote: > On Tue, Oct 24, 2017 at 4:35 PM, Kurt Andersen wrote: > > In fact I would claim that by the definitions in Section 2.7.1 of RFC7601, > > > >> "policy" is the only option. > > > > Are we talking about before or after this group consigns sha1 to the ash > > heap? > > Concurrent with. > > Perhaps I'm confused about the sequencing of events that we are discussing. > > > If the original DKIM spec had allowed rsa-md5 and a previous > > (hypothetical) > > instance of DCRUP had similarly deprecated MD5, what sort of designation > > would we expect to be recorded today for such usage? > > The question's never been asked before, so I don't know how to answer > that. But I don't think "none" is right unless we also want to contend > that a DKIM-Signature field with a syntax error in it also warrants a > "none", which I don't believe is the case. > > -MSK You've convinced me "none" is not what we want. I think that your hypothetical DKIM signature warrants a "permerror" and that's what we should use here. Scott K From nobody Wed Oct 25 04:59:47 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34900137A70 for ; Wed, 25 Oct 2017 04:59:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.286 X-Spam-Level: X-Spam-Status: No, score=-1.286 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7NhbDyrYfLTs for ; Wed, 25 Oct 2017 04:59:43 -0700 (PDT) Received: from mail-qk0-x234.google.com (mail-qk0-x234.google.com [IPv6:2607:f8b0:400d:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4ED301377B3 for ; Wed, 25 Oct 2017 04:59:43 -0700 (PDT) Received: by mail-qk0-x234.google.com with SMTP id n5so30075283qke.11 for ; Wed, 25 Oct 2017 04:59:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=SmOwg/ATygnqXU8ZhN7ykYMP/mrpWH38dRqW0y0Pklw=; b=RDBzz99/Qg5LKwO6n7ohgeLcnN/FcADzxa7xYmueX9AMtSAMQcydmcj78lNBRRiyFo GtDaumWGwVuPESrs+Gjr5ukmJF1ZqXr4OpbjWdrfzzGBDYrWtbdT9X2AFEMb5mojGpkR bOvd7dXzJdrL9ig5qeW38791IcNjQ/7lT9/iqGj2M1azn+pz8X8tHyuvzTvi28BrpXvt TbRxLzc/A7dEFp8GT/PTWReSwKdg7GYJpbD3zYybIrnh8JSSmlncRJk7Y1yMRIWvOu/I ZG3N7EE+ccdHx5xz9VE6jzp7HRv7gY6z91ojqAYnamUYLkncKDS00w2Ogmfm6nkWcRP0 vuNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=SmOwg/ATygnqXU8ZhN7ykYMP/mrpWH38dRqW0y0Pklw=; b=Kly/6UvxVVYGr07s3VrgPQ/M3i8PnqVJB4jE+KQJDNja7ou6NRNx9iZXHx2NDwddrz 5EhOysAVWkRwLH+9NWK1LMhrvcvHO2a1Xb3bE0gOmyi29KOzrVtj9ifbu7tg/coAy35m +0myJ9ch/0coYMH7F1y1Z3M8n6oV3zzSOIBlH1US8tg++Tviu96skVt2MvrJJrkxKbL7 SL9NZHKgN9/0hcsc/MVPFHKBWRz7+qH2CEJD5eNXK+4lP/R1CMY9n7Ok5PpRk8PBY8ZP 6E/8XjLt+IupL1qtPR00WKe7H/C3l3T2MeHFmWfDQi8p1qod+QvE5EbBvjJPsvrD76+q HV5Q== X-Gm-Message-State: AMCzsaW7ZzKKxBFCtPurJVc8Htbwc6KNqwAUOAZh4OAMhpZA26Jy0TMu OLuDe2aCqdYi6qMyA+mWxCKIs6VH5QKghBqM9lwII7g0 X-Google-Smtp-Source: ABhQp+TaTxxozwv2rx4q1Tzu3zO3Kv0zmuTrk81dQ3JGhjJKT3Vk/nGzW2DUbecodgwXR2Lzq0tLmC3uJBaydx2SWxY= X-Received: by 10.55.165.213 with SMTP id o204mr2556877qke.313.1508932782150; Wed, 25 Oct 2017 04:59:42 -0700 (PDT) MIME-Version: 1.0 Received: by 10.200.28.3 with HTTP; Wed, 25 Oct 2017 04:59:21 -0700 (PDT) In-Reply-To: <1827464.gt1Kil1zhX@kitterma-e6430> References: <150649085207.24995.1867894975380491185.idtracker@ietfa.amsl.com> <1827464.gt1Kil1zhX@kitterma-e6430> From: Seth Blank Date: Wed, 25 Oct 2017 04:59:21 -0700 Message-ID: To: dcrup@ietf.org Content-Type: multipart/alternative; boundary="001a114fd6dc786ed7055c5dcafc" Archived-At: Subject: Re: [Dcrup] Adam Roach's No Objection on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Oct 2017 11:59:46 -0000 --001a114fd6dc786ed7055c5dcafc Content-Type: text/plain; charset="UTF-8" On Tue, Oct 24, 2017 at 9:32 PM, Scott Kitterman wrote: > > You've convinced me "none" is not what we want. I think that your > hypothetical DKIM signature warrants a "permerror" and that's what we > should > use here. > As a report receiver, "permerror" is a much clearer signal than "fail" that there's an error on the domain owner's end that requires fixing. I'm now convinced and retract my earlier "it should be fail" comment. -- [image: logo for sig file.png] Bringing Trust to Email Seth Blank | Director of Industry Initiatives seth@valimail.com +1-415-894-2724 <415-894-2724> --001a114fd6dc786ed7055c5dcafc Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On T= ue, Oct 24, 2017 at 9:32 PM, Scott Kitterman <sklist@kitterman.com= > wrote:
You've convinced me &q= uot;none" is not what we want.=C2=A0 I think that your
hypothetical DKIM signature warrants a "permerror" and that's= what we should
use here.

As a r= eport receiver, "permerror" is a much clearer signal than "f= ail" that there's an error on the domain owner's end that requ= ires fixing. I'm now convinced and retract my earlier "it should b= e fail" comment.

--
<= div dir=3D"ltr">

Bringing Trust to Email<= /span>

Seth Blank | Director of Industry Initiatives

seth@valimail.com
+1-415-894-2724
--001a114fd6dc786ed7055c5dcafc-- From nobody Wed Oct 25 07:52:57 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E07E13F071 for ; Wed, 25 Oct 2017 07:52:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r-deGqp2xYtn for ; Wed, 25 Oct 2017 07:52:54 -0700 (PDT) Received: from mail-lf0-x231.google.com (mail-lf0-x231.google.com [IPv6:2a00:1450:4010:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4FFF13EF91 for ; Wed, 25 Oct 2017 07:52:53 -0700 (PDT) Received: by mail-lf0-x231.google.com with SMTP id l23so270463lfk.10 for ; Wed, 25 Oct 2017 07:52:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=kbl3xXQMkjcctYDiUBk+IHMKCFiZEZTVGm41UTNBGdI=; b=G1AdlWH+ekjtgmek2OxnTPNnGQwXPgse3cTnlIXM74mP7dFnzHpy5DCe20ON5sfr5S Q05lHu6BniSZrZ5fwbjOg6Dvws0NCu0+4O57jK/sZuideZWk/OYWWA8EDFOR9SEsrHY+ AqSNXR7ijOUj706JSEbNinxdgqa9AuxifQDww= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=kbl3xXQMkjcctYDiUBk+IHMKCFiZEZTVGm41UTNBGdI=; b=RL0BfCnPVrS51ZSXkkfoKDGSolnlzKPfPWwh976KY59yxR4tLdsvN68solCrxblvhp xmZezLKhLAcTgh0yblfrneXkdPpkx4XX/Tnzf5feXrpkWmgOzzLjDEVvGmFBnwf/g41o IhNy8fRHE1TU+Iqzzed/cfn1GtIl/th1ktWlOJ/6wdpakEjf5GB9WLjULykrTtmK06w8 vdfd85wIzLg4S0xydAYJbTFysJZUeUrW/R7rimEcbjNIVYUoJWoILV+TipNkaxH1w7xd 4lp0POLcCZNIfUsy6z3abSt8HwAqZ5edGifVPhjrQPxBn0CtoymhM4Bbdf0V5gNVZwPL /Krw== X-Gm-Message-State: AMCzsaWuS0tjDZgmTnhg7sgeIsaeIH+6sFWTa1JLPLWXz4pJxHKbuaHu B1Y/h50sbrejG7g+u8XHcy6AJoH8A3skdwHqHsGyM9W7 X-Google-Smtp-Source: ABhQp+QY/OGE29GbOzALdS1tiN4XrHAJVlRUzJGbS+ZpjUcgPdhVsyqMvPJDJMUDaph2nDXrdm4FAKuwSh1l1CUl1M0= X-Received: by 10.25.17.153 with SMTP id 25mr6954299lfr.132.1508943171821; Wed, 25 Oct 2017 07:52:51 -0700 (PDT) MIME-Version: 1.0 Received: by 10.25.158.77 with HTTP; Wed, 25 Oct 2017 07:52:51 -0700 (PDT) In-Reply-To: <1827464.gt1Kil1zhX@kitterma-e6430> References: <150649085207.24995.1867894975380491185.idtracker@ietfa.amsl.com> <1827464.gt1Kil1zhX@kitterma-e6430> From: Kurt Andersen Date: Wed, 25 Oct 2017 14:52:51 +0000 Message-ID: To: Scott Kitterman Cc: dcrup@ietf.org Content-Type: multipart/alternative; boundary="001a1140379ebe3afe055c6035ce" Archived-At: Subject: Re: [Dcrup] Adam Roach's No Objection on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Oct 2017 14:52:55 -0000 --001a1140379ebe3afe055c6035ce Content-Type: text/plain; charset="UTF-8" On Wed, Oct 25, 2017 at 4:32 AM, Scott Kitterman wrote: > On Tuesday, October 24, 2017 09:15:05 PM Murray S. Kucherawy wrote: > > On Tue, Oct 24, 2017 at 4:35 PM, Kurt Andersen wrote: > > > In fact I would claim that by the definitions in Section 2.7.1 of > RFC7601, > > > > > >> "policy" is the only option. > > > > > > Are we talking about before or after this group consigns sha1 to the > ash > > > heap? > > > > Concurrent with. > > > > Perhaps I'm confused about the sequencing of events that we are > discussing. > > > > > If the original DKIM spec had allowed rsa-md5 and a previous > > > (hypothetical) > > > instance of DCRUP had similarly deprecated MD5, what sort of > designation > > > would we expect to be recorded today for such usage? > > > > The question's never been asked before, so I don't know how to answer > > that. But I don't think "none" is right unless we also want to contend > > that a DKIM-Signature field with a syntax error in it also warrants a > > "none", which I don't believe is the case. > > > > -MSK > > You've convinced me "none" is not what we want. I think that your > hypothetical DKIM signature warrants a "permerror" and that's what we > should > use here. Makes sense to me - thanks for hashing through this (no pun intended). --Kurt --001a1140379ebe3afe055c6035ce Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On W= ed, Oct 25, 2017 at 4:32 AM, Scott Kitterman <sklist@kitterman.com= > wrote:
=
On Tuesday, October 24, 2017 09:15:05 PM Murray S. Kucher= awy wrote:
> On Tue, Oct 24, 2017 at 4:35 PM, Kurt Andersen <kurta@drkurt.com> wrote:
> > In fact I would claim that by the definitions in Section 2.7.1 of= RFC7601,
> >
> >> "policy" is the only option.
> >
> > Are we talking about before or after this group consigns sha1 to = the ash
> > heap?
>
> Concurrent with.
>
> Perhaps I'm confused about the sequencing of events that we are di= scussing.
>
> > If the original DKIM spec had allowed rsa-md5 and a previous
> > (hypothetical)
> > instance of DCRUP had similarly deprecated MD5, what sort of desi= gnation
> > would we expect to be recorded today for such usage?
>
> The question's never been asked before, so I don't know how to= answer
> that.=C2=A0 But I don't think "none" is right unless we = also want to contend
> that a DKIM-Signature field with a syntax error in it also warrants a<= br> > "none", which I don't believe is the case.
>
> -MSK

You've convinced me "none" is not what we want.= =C2=A0 I think that your
hypothetical DKIM signature warrants a "permerror" and that's= what we should
use here.

Makes sense to me - thanks for ha= shing through this (no pun intended).

--Kurt=C2=A0=

--001a1140379ebe3afe055c6035ce-- From nobody Wed Oct 25 09:49:17 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D01C139478 for ; Wed, 25 Oct 2017 09:49:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QilSvL0GgEHp for ; Wed, 25 Oct 2017 09:49:13 -0700 (PDT) Received: from mail-qk0-x230.google.com (mail-qk0-x230.google.com [IPv6:2607:f8b0:400d:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33FE5138BE7 for ; Wed, 25 Oct 2017 09:49:13 -0700 (PDT) Received: by mail-qk0-x230.google.com with SMTP id n5so827244qke.11 for ; Wed, 25 Oct 2017 09:49:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=nbomY9BECTmxWNbuEWOlai+aKcGxXqlYx8M63iK4nSI=; b=TYFBAuM/q4mbp/b99ZtsIvNnOkTmh9KIvtiIBfUYTVIfP6KAWRc9PPrOWF17pMMQZS a6yf5Ump16XbJj8vaoRrup3IjsRrLZRxmu+nOgqzBpiQEmhYeE1mq6dEup0Zq6V7GI9n hwkiG3qEXW+JyFo40RcgNn/keH5D7XapgaWm2rsBtn9iesDsneCVlgJ4fnGfNVpvTiyg UA57Si19BMbCjEH1fbyUzvvKXbblthXhVaC3RdGrXDdp47CFcDdkDs5kYg5nb68CCAzv 59870GuQ7+mk6Fp8rCbYFcfP+T5NRvG3bsxQ22XpDDeRJ5J+pxWepBFrISuYxG4BX45T xa9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=nbomY9BECTmxWNbuEWOlai+aKcGxXqlYx8M63iK4nSI=; b=d/Sc0mkCECplaUaijQEJngGe4eQsx4PRIV6kqxhHrWoUAXvo3gHrsNoCRei2UHmPeZ OF1baJa8Il3UUT2K1ioiqgDpFzjM4nlBVpqOn89LN5+jSJYzCXZbpPubjq6PeJgWv8vU KtIy9gtKdsNawxiluNy99GiB7k2z5LWToIqbWQw04EQrdtwsm0MQFHbnH+H85D/wG/w4 reYmH8j+BXPtAZ2OHdkTaiCypQUpsTrqiP6grTodpmHv+IzuM8wzJHLr6wIoz4pjtr8Z VECYPJ3AfGXEQJPB3FimnylvjOr8XYQk+Ihp8DGEefcN5ckFB4YL2v7XZ+5vRb1nvW// ziQg== X-Gm-Message-State: AMCzsaVH+4FGFwUKkzO9327exieLJ4G6UF9EcYacRY7VG2lf78cyynIY byWWHYb3CPK7y5wN/sZECYR91+51uS+GZLp74uT5IA== X-Google-Smtp-Source: ABhQp+S8DzLL+SGX4N7ngaAs5sWROwW9ToODmMEpsDvYjrrf0RcrtsLx4hyRXBEeijiT2GqauCV0Deau9z0ocMenTG0= X-Received: by 10.55.179.196 with SMTP id c187mr3975964qkf.249.1508950152079; Wed, 25 Oct 2017 09:49:12 -0700 (PDT) MIME-Version: 1.0 Received: by 10.200.40.115 with HTTP; Wed, 25 Oct 2017 09:49:11 -0700 (PDT) In-Reply-To: <1827464.gt1Kil1zhX@kitterma-e6430> References: <150649085207.24995.1867894975380491185.idtracker@ietfa.amsl.com> <1827464.gt1Kil1zhX@kitterma-e6430> From: "Murray S. Kucherawy" Date: Wed, 25 Oct 2017 09:49:11 -0700 Message-ID: To: Scott Kitterman Cc: dcrup@ietf.org Content-Type: multipart/alternative; boundary="94eb2c0628c6cc6eec055c61d5e8" Archived-At: Subject: Re: [Dcrup] Adam Roach's No Objection on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Oct 2017 16:49:15 -0000 --94eb2c0628c6cc6eec055c61d5e8 Content-Type: text/plain; charset="UTF-8" On Tue, Oct 24, 2017 at 9:32 PM, Scott Kitterman wrote: > You've convinced me "none" is not what we want. I think that your > hypothetical DKIM signature warrants a "permerror" and that's what we > should > use here. > OK, then I think we're in agreement on how to edit the draft to respond to the raised issues and resubmit so Alexey can send it off to the RFC Editor. Thanks everyone! -MSK --94eb2c0628c6cc6eec055c61d5e8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Tue, Oct 24, 2017 at 9:32 PM, Scott Kitterman <skli= st@kitterman.com> wrote:
You've convinced me= "none" is not what we want.=C2=A0 I think that your
hypothetical DKIM signature warrants a "permerror" and that's= what we should
use here.

OK, then I think we're in= agreement on how to edit the draft to respond to the raised issues and res= ubmit so Alexey can send it off to the RFC Editor.

Thank= s everyone!

-MSK
--94eb2c0628c6cc6eec055c61d5e8-- From nobody Fri Oct 27 04:37:19 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BE7413A8A1 for ; Fri, 27 Oct 2017 04:37:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.301 X-Spam-Level: X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=tana.it Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FZu0earHDzxU for ; Fri, 27 Oct 2017 04:37:15 -0700 (PDT) Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C69EE13F501 for ; Fri, 27 Oct 2017 04:37:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=beta; t=1509104231; bh=n/LXbXaUbLd7W9uwT92opymqh4enHmtRD5q4J/XkO4w=; l=946; h=To:References:From:Date:In-Reply-To; b=nG0szKRfcR5sHNvUQ+FYTHCSN76Xy2V6KXImHHPkU4QzI+IiWCWMBZ/WoStfiVFXH WDN8jepCJbDvbdcJKFIA2BZMg0/On9bpKpSVxplRDVE7c/Rakx0g5h+n9L5FRY85QK xqz8uyRnXiFBv1rhOpgZP3mTmxsSh7oA+toRAJTw= Authentication-Results: tana.it; auth=pass (details omitted) Received: from [172.25.197.109] (pcale.tana [172.25.197.109]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k) by wmail.tana.it with ESMTPA; Fri, 27 Oct 2017 13:37:11 +0200 id 00000000005DC0A2.0000000059F31A67.000008D1 To: dcrup@ietf.org References: <20171021164630.90725.qmail@ary.lan> From: Alessandro Vesely Openpgp: id=0A5B4BB141A53F7F55FC8CBCB6ACF44490D17C00 Message-ID: <0f8ecf1a-a8f6-0752-7197-5428107a4a1a@tana.it> Date: Fri, 27 Oct 2017 13:37:11 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [Dcrup] dcrup - Requested session has been scheduled for IETF 100 X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Oct 2017 11:37:17 -0000 On Tue 24/Oct/2017 22:30:06 +0200 someone wrote: >> JRL> When a() and b() are existing, debugged, documented code, and c() is >> JRL> not, it happens all the time. >> >> But c() is eddsa(), so you can't call it undebugged or undocumented. > > Sorry, this is hopeless.  If it's not self-evident why we want to use existing > DKIM routines that produce a short fixed-length hash rather than tearing the > libraries apart to invent new interfaces that produce variable length text, > potentially very long text so it'd need some kind of coroutine to produce it in > chunks, I don't think I can help. What is not self-evident is a(b()) == c(). I'm less of a crypto expert than you, but I suspect there's a reason why Schnorr signatures have different hash function requirements than RSA. At a minimum, DKIM should use sha-512, according to draft-ietf-curdle-cms-eddsa-signatures, which is different from a(b()) already. Ale -- From nobody Fri Oct 27 14:49:45 2017 Return-Path: X-Original-To: dcrup@ietf.org Delivered-To: dcrup@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B51313875A; Fri, 27 Oct 2017 14:49:40 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: dcrup@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.63.2 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <150914098003.22160.8532984946715133855@ietfa.amsl.com> Date: Fri, 27 Oct 2017 14:49:40 -0700 Archived-At: Subject: [Dcrup] I-D Action: draft-ietf-dcrup-dkim-usage-05.txt X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Oct 2017 21:49:40 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the DKIM Crypto Update WG of the IETF. Title : Cryptographic Algorithm and Key Usage Update to DKIM Author : Scott Kitterman Filename : draft-ietf-dcrup-dkim-usage-05.txt Pages : 5 Date : 2017-10-27 Abstract: The cryptographic algorithm and key size requirements included when DKIM was designed in the last decade are functionally obsolete and in need of immediate revision. This document updates DKIM requirements to those minimaly suitable for operation with currently specified algorithms. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dcrup-dkim-usage/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-dcrup-dkim-usage-05 https://datatracker.ietf.org/doc/html/draft-ietf-dcrup-dkim-usage-05 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-dcrup-dkim-usage-05 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Fri Oct 27 14:53:06 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83DA413F5F0 for ; Fri, 27 Oct 2017 14:53:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.791 X-Spam-Level: X-Spam-Status: No, score=-1.791 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=kitterman.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id loLBsBC-DHyW for ; Fri, 27 Oct 2017 14:53:02 -0700 (PDT) Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DA4E13F5E8 for ; Fri, 27 Oct 2017 14:53:02 -0700 (PDT) Received: from kitterma-e6430.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 88709C40166 for ; Fri, 27 Oct 2017 16:53:00 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=2001409; t=1509141180; bh=g8b/0rVY6SGpBUXYf/C0KqP7oL4AFtT3IFspNO1FFN8=; h=From:To:Subject:Date:In-Reply-To:References:From; b=PDg7/VZwzexST9uZRQHNZQ7oXw67uik4zb+kh5rprGHAYOoUwoJ9Jgm88gYGvxa8m 0VW0VmpXuvdgBsWH9LGtsmt9qYKpGwtf7Y2ZRh06DpYkbwh5sAZNI4gm1K5Dy+QOTT +4mPbRGsIznbtQI/hjg3pR5c1yF3wc/BYFgDW4kM= From: Scott Kitterman To: dcrup@ietf.org Date: Fri, 27 Oct 2017 17:52:59 -0400 Message-ID: <3401869.k1Vl4Fzuja@kitterma-e6430> User-Agent: KMail/4.13.3 (Linux/3.13.0-133-generic; KDE/4.13.3; x86_64; ; ) In-Reply-To: References: <150649085207.24995.1867894975380491185.idtracker@ietfa.amsl.com> <1827464.gt1Kil1zhX@kitterma-e6430> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Archived-At: Subject: Re: [Dcrup] Adam Roach's No Objection on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Oct 2017 21:53:03 -0000 On Wednesday, October 25, 2017 09:49:11 AM Murray S. Kucherawy wrote: > On Tue, Oct 24, 2017 at 9:32 PM, Scott Kitterman > > wrote: > > You've convinced me "none" is not what we want. I think that your > > hypothetical DKIM signature warrants a "permerror" and that's what we > > should > > use here. > > OK, then I think we're in agreement on how to edit the draft to respond to > the raised issues and resubmit so Alexey can send it off to the RFC Editor. > > Thanks everyone! > > -MSK I have uploaded -05 to address these two issues and a typo fix that had been previously identified: https://www.ietf.org/rfcdiff?url1=draft-ietf-dcrup-dkim-usage-04&url2=draft-ietf-dcrup-dkim-usage-05 Scott K From nobody Fri Oct 27 18:20:39 2017 Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70B6913F5A3 for ; Fri, 27 Oct 2017 18:20:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.698 X-Spam-Level: X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QC0pKZvhEwuy for ; Fri, 27 Oct 2017 18:20:34 -0700 (PDT) Received: from mail-qk0-x229.google.com (mail-qk0-x229.google.com [IPv6:2607:f8b0:400d:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D98313F5BF for ; Fri, 27 Oct 2017 18:20:28 -0700 (PDT) Received: by mail-qk0-x229.google.com with SMTP id o187so10393598qke.7 for ; Fri, 27 Oct 2017 18:20:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=WrxgmgGlFhEpEtDRuz1S2TPBMc3ENSe24Z1wuXHCV00=; b=lbV81Rgq54tb+gQTuSLJjHjlGiKOg7XrEb/TcAI+rhtHOObpJ+6JwEBlthGbiIi9dO DO/yZHVfnq7dyI6maTTOS1RzVyvVllvMRIDaJLI61ooD5pF171op9xG2dbZfvdA8zbCw +bXo23V4TLFYZEJDM87sUwmB5/rPL7ix+UYQmfxjL0mc6NPI+Oyn6qJT7JbVsE2kBX0E aE1CgMP5DY5urqO0Cz3KtqDY/0Drn+rbpx4wi26TwsdLmlqI/GJRVEXq/00N/Y+p3xGh vauNL+KYxYIxRVDm+va46/O4QECpGPZTf87oqueGtdjnUdhCcEKhddyIq9/xfp53XVdh Yq4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=WrxgmgGlFhEpEtDRuz1S2TPBMc3ENSe24Z1wuXHCV00=; b=ek/P0XryLToamn/gL/EONNYqPzy9xTNTGhu6cv18QQZ2SPWXKRigcPunXXdnBeGL4f EyZ471+jcLvLiAxP+8yx/J3/I4DcBlBQS1TB8pCbst3Thsb1/9KpDsvO7OjObW2YiY6o f+e8tovBMlBAYtd/z9dnO2tAdEjcjVRCXwwm4YPjeiEJANARFzDIt2W5VS5EczTMbdWx Ogk8aPmvqN8gJybAKFy0/qrfRREyWpAD6DyUyHBgD3dcHVz4phrMvlK5xXNthMd4Jy6M sTSXfsvbj4N1je/mKaUw6B2ln2IpCErhXX3SDykjLm5Ai36e+17X5r18cCyXB6zs2bsf FaMw== X-Gm-Message-State: AMCzsaXJiAlh4q2GMRfV7HNeCu6wc5ofj8T1Xa073Lli+/DELRIgjUtr Ltx+z0wE8N7aAoA+sLF9xPWwWVyfhR5Wf9TxGlaDEw== X-Google-Smtp-Source: ABhQp+TWEsf8cRg+RBFp+IM45L2d6Tiz3NfZxYFQoqYLLJW90bKbLkywgAUUqVMLqFtjd8zFuynjNA9JRfJmfaVMhd8= X-Received: by 10.55.204.157 with SMTP id n29mr3295787qkl.243.1509153627416; Fri, 27 Oct 2017 18:20:27 -0700 (PDT) MIME-Version: 1.0 Received: by 10.200.40.115 with HTTP; Fri, 27 Oct 2017 18:20:26 -0700 (PDT) In-Reply-To: <3401869.k1Vl4Fzuja@kitterma-e6430> References: <150649085207.24995.1867894975380491185.idtracker@ietfa.amsl.com> <1827464.gt1Kil1zhX@kitterma-e6430> <3401869.k1Vl4Fzuja@kitterma-e6430> From: "Murray S. Kucherawy" Date: Fri, 27 Oct 2017 18:20:26 -0700 Message-ID: To: Alexey Melnikov Cc: dcrup@ietf.org Content-Type: multipart/alternative; boundary="001a1146d052dfac88055c9135ab" Archived-At: Subject: Re: [Dcrup] Adam Roach's No Objection on draft-ietf-dcrup-dkim-usage-04: (with COMMENT) X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Oct 2017 01:20:38 -0000 --001a1146d052dfac88055c9135ab Content-Type: text/plain; charset="UTF-8" Alexey, was there anything else or are we all set here? -MSK On Fri, Oct 27, 2017 at 2:52 PM, Scott Kitterman wrote: > On Wednesday, October 25, 2017 09:49:11 AM Murray S. Kucherawy wrote: > > On Tue, Oct 24, 2017 at 9:32 PM, Scott Kitterman > > > > wrote: > > > You've convinced me "none" is not what we want. I think that your > > > hypothetical DKIM signature warrants a "permerror" and that's what we > > > should > > > use here. > > > > OK, then I think we're in agreement on how to edit the draft to respond > to > > the raised issues and resubmit so Alexey can send it off to the RFC > Editor. > > > > Thanks everyone! > > > > -MSK > > I have uploaded -05 to address these two issues and a typo fix that had > been > previously identified: > > https://www.ietf.org/rfcdiff?url1=draft-ietf-dcrup-dkim- > usage-04&url2=draft-ietf-dcrup-dkim-usage-05 > > Scott K > > _______________________________________________ > Dcrup mailing list > Dcrup@ietf.org > https://www.ietf.org/mailman/listinfo/dcrup > --001a1146d052dfac88055c9135ab Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Alexey, was there anything else or are we all set her= e?

-MSK

On Fri, Oct 27, 2017 at 2:52 PM, Scott Kitterman <sklist@k= itterman.com> wrote:
On Wednesday, October 25, 2017 09:49:11 A= M Murray S. Kucherawy wrote:
> On Tue, Oct 24, 2017 at 9:32 PM, Scott Kitterman <sklist@kitterman.com>
>
> wrote:
> > You've convinced me "none" is not what we want.=C2= =A0 I think that your
> > hypothetical DKIM signature warrants a "permerror" and = that's what we
> > should
> > use here.
>
> OK, then I think we're in agreement on how to edit the draft to re= spond to
> the raised issues and resubmit so Alexey can send it off to the RFC Ed= itor.
>
> Thanks everyone!
>
> -MSK

I have uploaded -05 to address these two issues and a typo fix = that had been
previously identified:

https://www.ietf.org/rfcdiff?url1=3Ddraft-ietf-dcrup-dkim-usage-04&url2=3Ddraft-ietf-dcrup-dkim-usage-05

Scott K

_______________________________________________
Dcrup mailing list
Dcrup@ietf.org
https://www.ietf.org/mailman/listinfo/dcrup

--001a1146d052dfac88055c9135ab--