Re: [Ietf-dkim] Fwd: Re: [..] Recommendation for dkim signing

Wed, 06 Mar 2024 14:59:24 -0800 

Steffen Nurpmeso wrote in
 <20240306224151.r4D7UEwr@steffen%sdaoden.eu>:
 |Scott Kitterman wrote in
 | <c9ef0654-c410-46dc-b9a7-716e3eca0...@kitterman.com>:
 ||On March 6, 2024 9:56:50 PM UTC, Steffen Nurpmeso <stef...@sdaoden.eu> \
 ||wrote:
 ...
 ||>So now that i have DKIM myself i tested.
 ||>And *no* verification software i can reach actually supports
 ||>Ed25519-sha256 as of RFC 8463 from September 2018!
 ||
 ||In addition to my dkimpy-milter, exam supports it and believe opendkim \
 ...
 ||This isn't horrible.  The main reason for RFC 8463 was, in my view, \
 ||as a hedge for some discovery that suddenly made RSA obsolete, which \
 ||hasn't happened yet.  From a standards perspective, it is there if needed.
 |
 |It greatly reduces the size of the headers, too.  And of the DNS
 |entries, and the DNS traffic as such, in UDP.
 |
 |I would speak contra and say it is a terrible picture.
 |And one mail i would have written right now in the queue.

One more contra, please.
In the software i have just written, the required code snippet to
support RFC 8463 is in one conditional OR.
In fact i am quite happy to contra, and hope at least one OpenSSL
people reads it, because i complained about this interface a month
ago i think.

    /* Unfortunately there is no easy accessible property that tells us which 
codepath to take */
    EVP_MD_CTX_reset(mdcp->mdc_md_ctx);
    if(!EVP_DigestSignInit(mdcp->mdc_md_ctx, NIL, mdcp->mdc_md->md_md, NIL, 
kp->k_key) &&

^ This is RSA.

                    !EVP_DigestSignInit(mdcp->mdc_md_ctx, NIL, NIL, NIL, 
kp->k_key)){

^ This is Ed25519.
Unfortunately nothing but brute force trials are possible to
detect which code path to take.  (It is worse actually, as i said
on the openssl-users list by quoting a OpenSSL commit message,
there is now a door open to make this way of doing things
impossible, and who knows whether they will go through it or not.)

Yes another reason to cheer RFC 6376 for this to be possible.
Ie, the possibly lengthy body with a stream-enabled digest, and
the cryptographic signature, that possibly is not stream-capable,
but requires one-shot signing, only for the header!
RFC 6376 is fantastic.  (Except for LF + CR.)

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim

Reply via email to