A new cryptographic signature method for DKIMTaughannock NetworksPO Box 727TrumansburgNY14886+883.5100.01196712standards@taugh.comThis document adds a new signing algorithm to DKIM.Discussion about this draft is directed to the
dcrup@ietf.org mailing
list.DKIM signs e-mail messages, by creating hashes of the message
headers and body and signing the header hash with a digital signature.
Message recipients fetch the signature verification key from the DNS.
The defining documents specify a single signing algorithm, RSA.
This document adds a new stronger signing algorithm, Edwards-Curve Digital Signature Algorithm using
the Curve25519 curve (ed25519),
which has much shorter keys than RSA for similar levels of security.
The capitalized key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT",
"RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in
.
Syntax descriptions use Augmented BNF (ABNF).
The ABNF tokens sig-a-tag-k and key-k-tag-type are imported from .
The ed25519-sha256 signing algorithm computes a message hash as defined in section 3
of using SHA-256 as the hash-alg,
and signs it with the PureEDdSA variant Ed25519, as defined in
in RFC 8032 section 5.1.
Example keys and signatures in Appendix XX below are based on the
test vectors in RFC 8032 section 7.1.
The DNS record for the verification public key has a "k=ed25519" tag to indicate
that the key is an Ed25519 rather than RSA key.
This is an additional DKIM signature algorithm added to Section 3.3 of
as envisioned in Section 3.3.4 of .
Note: since Ed25519 keys are 256 bits long, the base64 encoded key is only 44 octets, so
only DNS key record data will generally fit in a single
255 byte TXT string, and will work with DNS provisioning software that doesn't
handle multi-string TXT records.
The syntax of DKIM signatures and DKIM keys are updated as follows.
The syntax of DKIM algorithm tags in section 3.5 of
is updated by adding this rule to the
existing rule for sig-a-tag-k:
The syntax of DKIM key tags in section 3.6.1 of
is updated by adding this rule to the
existing rule for key-k-tag-type:
The p= value in the key record is the ed25519 public key encoded in base64.
Since the key is 256 bits long, the base64 text is 44 octets long.
For example, a key record using the public key in Section 7.1, Test 1, mignt be:
Section 3.3 of describes DKIM's hash and signature algorithms.
It is updated as follows:
Signers SHOULD implement and verifiers MUST implement the ed25519-sha256 algorithm.
For backward compatibility, signers MAY add multiple signatures that use old and new signing
algorithms.
Since there can only be a single key record in the DNS for each selector, the signatures
will have to use different selectors, although they can use the same d= and i= identifiers.
Ed25519 is a widely used cryptographic technique, so the security of DKIM
signatures using new signing algorithms should be at least as good as those using old
algorithms.
IANA is requested to update registries as follows.
The following value is added to the DKIM Key Type RegistryTYPEREFERENCESTATUSed25519[RFC8032]activeSecure Hash StandardU.S. Department of CommerceThis is a small message with an ed25519-rsa DKIM signature.Ed25519 secret key in base64.The text in each line of the message start at the first position except
for the five continuation lines on the DKIM-Signature
which start with a single space.Specify sha-256 for the extremely literal minded.
Take out the prehash stuff. Add example.
Specify base64 key records. Style edits per Dave C.
Remove RSA fingerprints. Change Pure to hashed eddsa.
Editorial changes only.
Remove deprecation cruft and inconsistent key advice.
Fix p= and k= text.
Change eddsa to ed25519.
Add Martin's key regeneration issue.
Remove hashed ed25519 keys. Fix typos and clarify text.
Move syntax updates to separate section.
Take out SHA-1 stuff.
Clarify EdDSA algorithm is ed25519 with Pure version
of the signing. Make references to tags and fields consistent.