Re: [Ietf-dkim] Fwd: Re: [..] Recommendation for dkim signing

2024-03-07 Thread Murray S. Kucherawy
On Thu, Mar 7, 2024 at 1:05 PM A. Schulze  wrote:

> I enabled double signing years ago on my personal domain and last year at
> an medium scale ESP.
> So far, we didn't noticed negative effects.
> Intentionally I removed SPF on my personal domain last year, also without
> any delivery issues.
>
> I also validate both signatures if present but didn't any statistics.
>
> One interesting point is the signature order. Without specific reasons I
> sign rsa first, then ed25519.
> This message is the first, I send with the opposite order: ed25519 first,
> then rsa.
> Let's see, what will happen... My naive assumption: order don't matter.
>

Section 4.2 of RFC 6376 is pretty nebulous about this.  You can do them in
any order, and you can stop after you get one that you like based on
whatever local policy you choose or do them all.

Given the time that's passed since RFC 8463 was published, I'd expect to
have heard that order matters in one way or another if indeed it does.  The
absence of such experience might be telling.

-MSK
___
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim


Re: [Ietf-dkim] Fwd: Re: [..] Recommendation for dkim signing

2024-03-07 Thread Steffen Nurpmeso
Jeremy Harris wrote in
 :
 |On 06/03/2024 23:30, Steffen Nurpmeso wrote:
 |> Does this mean you do use Ed25519 and RSA since over four years in
 |> regular email?  It*brakes things*!?
 |
 |Yes.   And no, not that I've noticed.

Thanks.  Good to know.  I give it a try.

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

___
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim


Re: [Ietf-dkim] Fwd: Re: [..] Recommendation for dkim signing

2024-03-07 Thread A. Schulze




Am 07.03.24 um 00:30 schrieb Steffen Nurpmeso:

Interesting; i see selectors [er]202001.
Does this mean you do use Ed25519 and RSA since over four years in
regular email?  It *brakes things*!?


Hi,

I enabled double signing years ago on my personal domain and last year at an 
medium scale ESP.
So far, we didn't noticed negative effects.
Intentionally I removed SPF on my personal domain last year, also without any 
delivery issues.

I also validate both signatures if present but didn't any statistics.

One interesting point is the signature order. Without specific reasons I sign 
rsa first, then ed25519.
This message is the first, I send with the opposite order: ed25519 first, then 
rsa.
Let's see, what will happen... My naive assumption: order don't matter.

Andreas

___
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim


Re: [Ietf-dkim] Fwd: Re: [..] Recommendation for dkim signing

2024-03-07 Thread John Levine
It appears that Scott Kitterman   said:
>This isn't horrible.  The main reason for RFC 8463 was, in my view, as a hedge 
>for some discovery that suddenly made RSA
>obsolete, which hasn't happened yet.  From a standards perspective, it is 
>there if needed.

Yes, that is exactly the reason I wrote it.

My MTA doesn't generate or validate Ed25519 signatures either. Maybe
someday when I have some spare time.

R's,
John

___
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim


Re: [Ietf-dkim] Fwd: Re: [..] Recommendation for dkim signing

2024-03-06 Thread Jeremy Harris

On 06/03/2024 23:30, Steffen Nurpmeso wrote:

Does this mean you do use Ed25519 and RSA since over four years in
regular email?  It*brakes things*!?


Yes.   And no, not that I've noticed.
--
Cheers,
  Jeremy

___
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim


Re: [Ietf-dkim] Fwd: Re: [..] Recommendation for dkim signing

2024-03-06 Thread Steffen Nurpmeso
Jeremy Harris wrote in
 :
 |On 06/03/2024 22:41, Steffen Nurpmeso wrote:
 |> exam i do not know
 |
 |exim, possibly?

Interesting; i see selectors [er]202001.
Does this mean you do use Ed25519 and RSA since over four years in
regular email?  It *brakes things*!?

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

___
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim


Re: [Ietf-dkim] Fwd: Re: [..] Recommendation for dkim signing

2024-03-06 Thread Scott Kitterman



On March 6, 2024 11:12:38 PM UTC, Jeremy Harris  wrote:
>On 06/03/2024 22:41, Steffen Nurpmeso wrote:
>> exam i do not know
>
>exim, possibly?

Yes.  Sorry.  It looks like autocorrect got me.

Scott K

___
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim


Re: [Ietf-dkim] Fwd: Re: [..] Recommendation for dkim signing

2024-03-06 Thread Jeremy Harris

On 06/03/2024 22:41, Steffen Nurpmeso wrote:

exam i do not know


exim, possibly?
--
Cheers,
  Jeremy

___
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim


Re: [Ietf-dkim] Fwd: Re: [..] Recommendation for dkim signing

2024-03-06 Thread Steffen Nurpmeso
Steffen Nurpmeso wrote in
 <20240306230526.tcmkMKA1@steffen%sdaoden.eu>:
 ...
 |Btw now that i look at that thanks to my configurable header
 |display in the console based MUA i use, you use Ed25519 first and
 |then RSA, forcefully breaking the incapable IETF DKIM checks and

(Not true.  One passes.  The other is not supported.)

 |Microsoft as a whole.  That is brave!
 |I follow (a bit) by re-enabling Ed!!
 |
 |Ciao, and greetings from Germany!

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

___
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim


Re: [Ietf-dkim] Fwd: Re: [..] Recommendation for dkim signing

2024-03-06 Thread Steffen Nurpmeso
Scott Kitterman wrote in
 <9ee553ec-aa5b-4dac-bf4d-9a0ffb289...@kitterman.com>:
 |On March 6, 2024 10:41:51 PM UTC, Steffen Nurpmeso  \
 |wrote:
 |>Scott Kitterman wrote in
 |> :
 |>|On March 6, 2024 9:56:50 PM UTC, Steffen Nurpmeso  \
 |>|wrote:
 ...
 |>|>So now that i have DKIM myself i tested.
 |>|>And *no* verification software i can reach actually supports
 |>|>Ed25519-sha256 as of RFC 8463 from September 2018!
 |>|
 |>|In addition to my dkimpy-milter, exam supports it and believe opendkim \
 |>
 |>Yes, you do support it.  I know of no endpoint i could reach out
 |>to test this, however.  But yes, of course your software
 |>thankfully supports it.
 ...
 |>exam i do not know, and OpenDKIM i am pretty sure does not support
 |>it, at least the Sourceforge.net thing; i have a local copy and
 |>the last change was in 2015.
 ...
 |For opendkim, you need to look on GitHub.  There has been some further \
 |development there.

Oh!  Hmm.  The difference seems niche i'd say.
Btw now that i look at that thanks to my configurable header
display in the console based MUA i use, you use Ed25519 first and
then RSA, forcefully breaking the incapable IETF DKIM checks and
Microsoft as a whole.  That is brave!
I follow (a bit) by re-enabling Ed!!

Ciao, and greetings from Germany!

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

___
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim


Re: [Ietf-dkim] Fwd: Re: [..] Recommendation for dkim signing

2024-03-06 Thread Steffen Nurpmeso
Steffen Nurpmeso wrote in
 <20240306224151.r4D7UEwr@steffen%sdaoden.eu>:
 |Scott Kitterman wrote in
 | :
 ||On March 6, 2024 9:56:50 PM UTC, Steffen Nurpmeso  \
 ||wrote:
 ...
 ||>So now that i have DKIM myself i tested.
 ||>And *no* verification software i can reach actually supports
 ||>Ed25519-sha256 as of RFC 8463 from September 2018!
 ||
 ||In addition to my dkimpy-milter, exam supports it and believe opendkim \
 ...
 ||This isn't horrible.  The main reason for RFC 8463 was, in my view, \
 ||as a hedge for some discovery that suddenly made RSA obsolete, which \
 ||hasn't happened yet.  From a standards perspective, it is there if needed.
 |
 |It greatly reduces the size of the headers, too.  And of the DNS
 |entries, and the DNS traffic as such, in UDP.
 |
 |I would speak contra and say it is a terrible picture.
 |And one mail i would have written right now in the queue.

One more contra, please.
In the software i have just written, the required code snippet to
support RFC 8463 is in one conditional OR.
In fact i am quite happy to contra, and hope at least one OpenSSL
people reads it, because i complained about this interface a month
ago i think.

/* Unfortunately there is no easy accessible property that tells us which 
codepath to take */
EVP_MD_CTX_reset(mdcp->mdc_md_ctx);
if(!EVP_DigestSignInit(mdcp->mdc_md_ctx, NIL, mdcp->mdc_md->md_md, NIL, 
kp->k_key) &&

^ This is RSA.

!EVP_DigestSignInit(mdcp->mdc_md_ctx, NIL, NIL, NIL, 
kp->k_key)){

^ This is Ed25519.
Unfortunately nothing but brute force trials are possible to
detect which code path to take.  (It is worse actually, as i said
on the openssl-users list by quoting a OpenSSL commit message,
there is now a door open to make this way of doing things
impossible, and who knows whether they will go through it or not.)

Yes another reason to cheer RFC 6376 for this to be possible.
Ie, the possibly lengthy body with a stream-enabled digest, and
the cryptographic signature, that possibly is not stream-capable,
but requires one-shot signing, only for the header!
RFC 6376 is fantastic.  (Except for LF + CR.)

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

___
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim


Re: [Ietf-dkim] Fwd: Re: [..] Recommendation for dkim signing

2024-03-06 Thread Scott Kitterman



On March 6, 2024 10:41:51 PM UTC, Steffen Nurpmeso  wrote:
>Scott Kitterman wrote in
> :
> |On March 6, 2024 9:56:50 PM UTC, Steffen Nurpmeso  \
> |wrote:
> |>--- Forwarded from Steffen Nurpmeso  ---
> |>Date: Wed, 06 Mar 2024 22:49:48 +0100
> |>Author: Steffen Nurpmeso 
> |>From: Steffen Nurpmeso 
> |>...
> |>Subject: Re: [pfx] Recommendation for dkim signing
> |>Message-ID: <20240306214948.V5gSjSiU@steffen%sdaoden.eu>
> |>...
> |>
> |>...
> |>So now that i have DKIM myself i tested.
> |>And *no* verification software i can reach actually supports
> |>Ed25519-sha256 as of RFC 8463 from September 2018!
> |
> |In addition to my dkimpy-milter, exam supports it and believe opendkim \
>
>Yes, you do support it.  I know of no endpoint i could reach out
>to test this, however.  But yes, of course your software
>thankfully supports it.
>
> |does as well.  Their combined market share no doubt rounds to zero, \
> |but the software does exist.
>
>exam i do not know, and OpenDKIM i am pretty sure does not support
>it, at least the Sourceforge.net thing; i have a local copy and
>the last change was in 2015.
>
> |This isn't horrible.  The main reason for RFC 8463 was, in my view, \
> |as a hedge for some discovery that suddenly made RSA obsolete, which \
> |hasn't happened yet.  From a standards perspective, it is there if needed.
>
>It greatly reduces the size of the headers, too.  And of the DNS
>entries, and the DNS traffic as such, in UDP.
>
>I would speak contra and say it is a terrible picture.
>And one mail i would have written right now in the queue.

For opendkim, you need to look on GitHub.  There has been some further 
development there.

Scott K

___
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim


[Ietf-dkim] Fwd: Re: [..] Recommendation for dkim signing

2024-03-06 Thread Steffen Nurpmeso
--- Forwarded from Steffen Nurpmeso  ---
Date: Wed, 06 Mar 2024 23:43:00 +0100
Author: Steffen Nurpmeso 
From: Steffen Nurpmeso 
...
Subject: Re: [..] Recommendation for dkim signing
Message-ID: <20240306224300.AvxERJ7Z@steffen%sdaoden.eu>
...

One. Last. Message. Of mine.

And sorry for all this mostly off-topic noise.

Steffen Nurpmeso wrote in
 <20240306214948.V5gSjSiU@steffen%sdaoden.eu>:
 ...
 |So now that i have DKIM myself i tested.
 |And *no* verification software i can reach actually supports
 |Ed25519-sha256 as of RFC 8463 from September 2018!
 |It is even *worse* than that.
 ...
 |  - Microsoft: fails the DKIM test if a RFC 8463 signature is
 |present, no matter whether first or last!!!
 |Is this *really* true?  That is really bad.

  + It even actively fails SHA1 DKIM signatures.
I know these are deprecated, but if i use a rsa-sha1 and
a rsa-sha256 signature in that order:

  Authentication-Results: spf=pass (sender IP is 217.144.132.164)
   smtp.mailfrom=sdaoden.eu; dkim=fail (body hash did not verify)
   header.d=sdaoden.eu;dmarc=bestguesspass action=none
   header.from=sdaoden.eu;compauth=pass reason=109

The *very*same* message/-checkum passes Google:

  Authentication-Results: mx.google.com;
   dkim=pass (test mode) header.i=@sdaoden.eu header.s=lemon 
header.b=meYlPkTE;
   dkim=pass (test mode) header.i=@sdaoden.eu header.s=citron 
header.b=Cehr1W9z;
   spf=pass (google.com: domain of stef...@sdaoden.eu designates 
217.144.132.164 as permitted sender) smtp.mailfrom=stef...@sdaoden.eu

Looking at that.  Say, the Microsoft
Authentication-Results: does not denote its own domain
name, no?  Ie i could not strip it.  I have not read RFC
8601 for very too long to know, though.
They do not look at the h=sha1 of the DNS record, do they.
They do not look at the a= of the DKIM signature.

  ...
 |  - Place a single signature.
 |
 |  - It must be RSA-sha256.

And exactly only that.

 |RFC 6376 surely would have deserved something better.

Good night, greetings, and
Ciao from Germany,
 -- End forward <20240306224300.AvxERJ7Z@steffen%sdaoden.eu>

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

___
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim


Re: [Ietf-dkim] Fwd: Re: [..] Recommendation for dkim signing

2024-03-06 Thread Steffen Nurpmeso
Scott Kitterman wrote in
 :
 |On March 6, 2024 9:56:50 PM UTC, Steffen Nurpmeso  \
 |wrote:
 |>--- Forwarded from Steffen Nurpmeso  ---
 |>Date: Wed, 06 Mar 2024 22:49:48 +0100
 |>Author: Steffen Nurpmeso 
 |>From: Steffen Nurpmeso 
 |>...
 |>Subject: Re: [pfx] Recommendation for dkim signing
 |>Message-ID: <20240306214948.V5gSjSiU@steffen%sdaoden.eu>
 |>...
 |>
 |>...
 |>So now that i have DKIM myself i tested.
 |>And *no* verification software i can reach actually supports
 |>Ed25519-sha256 as of RFC 8463 from September 2018!
 |
 |In addition to my dkimpy-milter, exam supports it and believe opendkim \

Yes, you do support it.  I know of no endpoint i could reach out
to test this, however.  But yes, of course your software
thankfully supports it.

 |does as well.  Their combined market share no doubt rounds to zero, \
 |but the software does exist.

exam i do not know, and OpenDKIM i am pretty sure does not support
it, at least the Sourceforge.net thing; i have a local copy and
the last change was in 2015.

 |This isn't horrible.  The main reason for RFC 8463 was, in my view, \
 |as a hedge for some discovery that suddenly made RSA obsolete, which \
 |hasn't happened yet.  From a standards perspective, it is there if needed.

It greatly reduces the size of the headers, too.  And of the DNS
entries, and the DNS traffic as such, in UDP.

I would speak contra and say it is a terrible picture.
And one mail i would have written right now in the queue.

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

___
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim


Re: [Ietf-dkim] Fwd: Re: [..] Recommendation for dkim signing

2024-03-06 Thread Scott Kitterman



On March 6, 2024 9:56:50 PM UTC, Steffen Nurpmeso  wrote:
>--- Forwarded from Steffen Nurpmeso  ---
>Date: Wed, 06 Mar 2024 22:49:48 +0100
>Author: Steffen Nurpmeso 
>From: Steffen Nurpmeso 
>...
>Subject: Re: [pfx] Recommendation for dkim signing
>Message-ID: <20240306214948.V5gSjSiU@steffen%sdaoden.eu>
>...
>
>...
>So now that i have DKIM myself i tested.
>And *no* verification software i can reach actually supports
>Ed25519-sha256 as of RFC 8463 from September 2018!

In addition to my dkimpy-milter, exam supports it and believe opendkim does as 
well.  Their combined market share no doubt rounds to zero, but the software 
does exist.

This isn't horrible.  The main reason for RFC 8463 was, in my view, as a hedge 
for some discovery that suddenly made RSA obsolete, which hasn't happened yet.  
From a standards perspective, it is there if needed.

Scott K

___
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim


[Ietf-dkim] Fwd: Re: [..] Recommendation for dkim signing

2024-03-06 Thread Steffen Nurpmeso
--- Forwarded from Steffen Nurpmeso  ---
Date: Wed, 06 Mar 2024 22:49:48 +0100
Author: Steffen Nurpmeso 
From: Steffen Nurpmeso 
...
Subject: Re: [pfx] Recommendation for dkim signing
Message-ID: <20240306214948.V5gSjSiU@steffen%sdaoden.eu>
...

...
So now that i have DKIM myself i tested.
And *no* verification software i can reach actually supports
Ed25519-sha256 as of RFC 8463 from September 2018!
It is even *worse* than that.

  - Google: at least reaches out to the RSA signature and verifies
that, it ignores the other one saying "no key".

  - Microsoft: fails the DKIM test if a RFC 8463 signature is
present, no matter whether first or last!!!
Is this *really* true?  That is really bad.

  - The software this list uses (rspamd i think): fails if the
Ed25519 signature is first, aka does not reach out.  (Which it
should, says DKIM, does it.  The DKIM standard is
*fantastic*!)  It at least succeeds if the RSA is first.

What a mess.  Even though explicitly envisioned in the DKIM
standard, it seems to me one cannot simply create two signatures,
as i wanted to do.  (For a while, at least; until i see Ed is
supported anywhere.  I had no plan, actually.)

So as of today DKIM interoperability seems to mean:

  - Place a single signature.

  - It must be RSA-sha256.

RFC 6376 surely would have deserved something better.

  ...
 -- End forward <20240306214948.V5gSjSiU@steffen%sdaoden.eu>

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

___
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim