[ietf-dkim] agenda item on upgrading hash algorithms?

Steve Atkins steve at blighty.com
Sat Feb 25 08:13:32 PST 2006 

On Feb 24, 2006, at 12:56 PM, Hector Santos wrote:

>
>> The reason people are pushing for SHA-256 now is not because there  
>> is a
>> probable imminent break. It is because we know just how long the  
>> process
>> of switching algorithms takes.
>
> I agree.
>
>> I think that the consenus here is to:
>>
>> 1) Start the SHA-256 transition now, making it a MUST for verifiers,
>> MUST/SHOULD for signers.
>
> My only take here is that this MUST/SHOULD for signers will always  
> be tagged
> with a basic implementation question of
>
>    "well, which one should I use?"
>
> So I think it should be carefully phrase to say:
>
>     SIGNERS "SHOULD" use the highest form of security first among the
>     choices currently available {SHA-1, SHA-256}.  Although it is out
>     of the scope of this specification, an SIGNER "MAY" use a
>     VERIFIER lookup concept to determine the highest form of
>     security it offers.
>
> This helps or resolves both issues and addresses the future,  
> especially the
> case if indeed when a method is hacked and DKIM signer wishes to  
> quickly
> migrate to a new method as supported by the validators. In my view,  
> it is
> almost inevitiable, the signer will need to be a lot smarter than the
> documentation calls for. i.e. find out more about the host system  
> it is
> about to send a "valuable" mail to.

This discussion, though, all assumes that we're talking about strong
cryptography.

We're not. We're talking about weak authentication, primarily for email
whitelisting. There are so many other trivially exploitable flaws in the
whole DK concept if it were applied to other problem domains  
(phishing, say)
that considering it as anything outside the domain of weak  
authentication
of email originator is going to be unwise.

Given that, even if an algorithm is compromised it is still of value  
if the
cost of faking up a hash drastically exceeds the value of being able to
look signed when you're not. That value is pretty low in any scenario
where the sender and recipient are going to be relying solely on DK.

Given the CPU overhead of SHA-256 is about 50% higher than SHA-1 it
makes more sense for the senders of most email currently to use SHA-1
than SHA-256. That will continue to be true if SHA-1 is "broken" for  
some
definition of the word.

Even if you wildly disagree with all of the above it all remains  
quite true
in the perception of the largest senders of DKIM authenticated email
and you need to bear that in mind.

Cheers,
   Steve

More information about the ietf-dkim mailing list