ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] agenda item on upgrading hash algorithms?

2006-02-25 09:16:13
from [Steve Atkins] [Permanent Link] 

On Feb 24, 2006, at 12:56 PM, Hector Santos wrote:
The reason people are pushing for SHA-256 now is not because there is a probable imminent break. It is because we know just how long the process 
of switching algorithms takes.


I agree.


I think that the consenus here is to:

1) Start the SHA-256 transition now, making it a MUST for verifiers,
MUST/SHOULD for signers.
My only take here is that this MUST/SHOULD for signers will always be tagged 
with a basic implementation question of

   "well, which one should I use?"

So I think it should be carefully phrase to say:

    SIGNERS "SHOULD" use the highest form of security first among the
    choices currently available {SHA-1, SHA-256}.  Although it is out
    of the scope of this specification, an SIGNER "MAY" use a
    VERIFIER lookup concept to determine the highest form of
    security it offers.
This helps or resolves both issues and addresses the future, especially the case if indeed when a method is hacked and DKIM signer wishes to quickly migrate to a new method as supported by the validators. In my view, it is 
almost inevitiable, the signer will need to be a lot smarter than the
documentation calls for. i.e. find out more about the host system it is 
about to send a "valuable" mail to.


This discussion, though, all assumes that we're talking about strong
cryptography.

We're not. We're talking about weak authentication, primarily for email
whitelisting. There are so many other trivially exploitable flaws in the
whole DK concept if it were applied to other problem domains (phishing, say) that considering it as anything outside the domain of weak authentication 
of email originator is going to be unwise.
Given that, even if an algorithm is compromised it is still of value if the 
cost of faking up a hash drastically exceeds the value of being able to
look signed when you're not. That value is pretty low in any scenario
where the sender and recipient are going to be relying solely on DK.

Given the CPU overhead of SHA-256 is about 50% higher than SHA-1 it
makes more sense for the senders of most email currently to use SHA-1
than SHA-256. That will continue to be true if SHA-1 is "broken" for some 
definition of the word.
Even if you wildly disagree with all of the above it all remains quite true 
in the perception of the largest senders of DKIM authenticated email
and you need to bear that in mind.

Cheers,
  Steve



_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] signature h= and z= tags, Hector Santos
Next by Date:  Re: [ietf-dkim] agenda item on upgrading hash algorithms?, Eliot Lear
Previous by Thread:  Re: [ietf-dkim] agenda item on upgrading hash algorithms?, Hector Santos
Next by Thread:  Re: [ietf-dkim] agenda item on upgrading hash algorithms?, Eliot Lear
Indexes:  [Date] [Thread] [Top] [All Lists]