Re: [dnsext] NSEC3 and elliptic curve signatures
"Rose, Scott W." <scott.rose@nist.gov> Thu, 16 September 2010 18:11 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 186D53A6AD5; Thu, 16 Sep 2010 11:11:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.733
X-Spam-Level:
X-Spam-Status: No, score=-5.733 tagged_above=-999 required=5 tests=[AWL=0.866, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GNrFRErcGM7o; Thu, 16 Sep 2010 11:11:27 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 7D7D93A6A33; Thu, 16 Sep 2010 11:11:27 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1OwIqJ-000MbG-1v for namedroppers-data0@psg.com; Thu, 16 Sep 2010 18:05:55 +0000
Received: from rimp2.nist.gov ([129.6.16.227] helo=smtp.nist.gov) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72 (FreeBSD)) (envelope-from <scott.rose@nist.gov>) id 1OwIqG-000Mas-74 for namedroppers@ops.ietf.org; Thu, 16 Sep 2010 18:05:52 +0000
Received: from WSXGHUB1.xchange.nist.gov (WSXGHUB1.xchange.nist.gov [129.6.18.96]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id o8GI5fKu013187 for <namedroppers@ops.ietf.org>; Thu, 16 Sep 2010 14:05:41 -0400
Received: from MBCLUSTER.xchange.nist.gov ([fe80::41df:f63f:c718:e08]) by WSXGHUB1.xchange.nist.gov ([129.6.18.96]) with mapi; Thu, 16 Sep 2010 14:05:41 -0400
From: "Rose, Scott W." <scott.rose@nist.gov>
To: Namedroppers WG <namedroppers@ops.ietf.org>
Date: Thu, 16 Sep 2010 14:05:40 -0400
Subject: Re: [dnsext] NSEC3 and elliptic curve signatures
Thread-Topic: [dnsext] NSEC3 and elliptic curve signatures
Thread-Index: ActVybghZ7gzIgCETaObP7BAS+EBLA==
Message-ID: <06898779-E4C6-417B-8AFA-3635F1A3373B@nist.gov>
References: <p06240834c8b7fa996ee1@[10.20.30.158]>
In-Reply-To: <p06240834c8b7fa996ee1@[10.20.30.158]>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
X-NIST-MailScanner: Found to be clean
X-NIST-MailScanner-From: scott.rose@nist.gov
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>
FWIW, those that produce operational recommendations will have to answer this if it is not in the draft. Those values will likely vary. While this isn't a show-stopper, but it may cause administrator confusion. I think a good gauge should be to have the max iterations recommendation be less than the time it takes to validate the RRSIG for "an average system". I don't have an idea what the hard numbers would be. Scott On Sep 16, 2010, at 12:55 PM, Paul Hoffman wrote: > Greetings again. draft-hoffman-dnssec-ecdsa describes DNSSEC signature algorithms using the two generally-accepted elliptic curve sizes on 256 and 384 bits. Dan Simon pointed out to Wouter and I that RFC 5155 talks about choosing iteration sizes for DSA and RSA, but not elliptic curves. Wouter ran some numbers that could be used to determine possible iteration counts, but RFC 5155 only sets maximums for iterations, not suggested values. > > Do folks here think that draft-hoffman-dnssec-ecdsa should have suggested RFC 5155 iteration counts? Should we discuss it at all? > > --Paul Hoffman, Director > --VPN Consortium > =================================== Scott Rose NIST scottr@nist.gov +1 301-975-8439 Google Voice: +1 571-249-3671 http://www.dnsops.gov/ ===================================
- [dnsext] NSEC3 and elliptic curve signatures Paul Hoffman
- Re: [dnsext] NSEC3 and elliptic curve signatures Rose, Scott W.
- Re: [dnsext] NSEC3 and elliptic curve signatures Francis Dupont