IETF Logo Mail Archive

Re: [dnsext] historal root keys for upgrade path?

Phillip Hallam-Baker <hallam@gmail.com> Wed, 02 February 2011 14:33 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C3D0E3A6D1F for <dnsext@core3.amsl.com>; Wed, 2 Feb 2011 06:33:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.479
X-Spam-Level:
X-Spam-Status: No, score=-3.479 tagged_above=-999 required=5 tests=[AWL=0.119, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QARVrI8lZRWV for <dnsext@core3.amsl.com>; Wed, 2 Feb 2011 06:33:22 -0800 (PST)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by core3.amsl.com (Postfix) with ESMTP id 6070F3A6D02 for <dnsext@ietf.org>; Wed, 2 Feb 2011 06:33:22 -0800 (PST)
Received: by gyd12 with SMTP id 12so3394gyd.31 for <dnsext@ietf.org>; Wed, 02 Feb 2011 06:36:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=5Vd70qleQM7Do3Lb60x57Yr0MuHll3Jea6XuD7gVXYc=; b=EPjlNKVOGAD5LE9jGZ0HAzKUfZ9HyUYxmNxwmACAqAkEWotpg/JVOqSwOnXRW9ii9R eaTkFvldSseCx23id7Twg3bYeyfAMviQ2NXkh6xOF9mKsxUZnvhKHMxGVfeFuNzeTC9A dAZcEZ4GOHkz1mlFfQqc70dvGzgtwUzzvRoG0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=d4b4xof7zFWYzniwD34x6acZeq2gomZEDzR9WR8HZrlL4YpcH3RePCig1idKMBn6NG 2IP+jTCoOi7ihHeZjM/O+QegWkgsnJx8ihXbcMWbiANX5dgbwqlq+q1cCXWNBCbkqlaR R8dfrMbW2Vi7MLnrHJj4teYCi87juTTUDIH8g=
MIME-Version: 1.0
Received: by 10.100.34.1 with SMTP id h1mr6063908anh.188.1296657399869; Wed, 02 Feb 2011 06:36:39 -0800 (PST)
Received: by 10.100.242.14 with HTTP; Wed, 2 Feb 2011 06:36:39 -0800 (PST)
In-Reply-To: <alpine.LSU.2.00.1102021405380.5244@hermes-1.csi.cam.ac.uk>
References: <alpine.LFD.1.10.1101251250040.30991@newtla.xelerance.com> <17A80F45-52CB-43F6-BD4A-3488821F6933@hopcount.ca> <3A1DEE95-8C8E-4C89-97EB-6D8F799ADE25@virtualized.org> <583A62B0-0DBF-469A-AF8A-B81DEDD1E7E2@dotat.at> <86B1D38A-C274-4335-B30E-3C5C0DF05C38@hopcount.ca> <4D45DE93.9090508@vpnc.org> <AANLkTinbjRebooyqWMpZ2oTudruoDSGqgaXXr35WPYVH@mail.gmail.com> <AANLkTikiqe2K4S-dNsyQZ-xp71J4bM11SsahwpxfDKCX@mail.gmail.com> <4C747F08-A9E8-46E6-AE76-0A999A16D276@hopcount.ca> <AANLkTinOtx88vK3mz-w=uw1CnsKwm=c-nTDOsj=5JAPY@mail.gmail.com> <B4F822D3-F4D6-4657-B299-075B89B5CC86@hopcount.ca> <AANLkTi=BtqV3XF-yXhDBNd7hPCbJCWKuS-WsO=_nf6g3@mail.gmail.com> <EC6DC378-D10D-45FC-B9FB-8D43A780A9EC@kirei.se> <alpine.LSU.2.00.1102021405380.5244@hermes-1.csi.cam.ac.uk>
Date: Wed, 02 Feb 2011 09:36:39 -0500
Message-ID: <AANLkTik=yDHWUsJxobVdXzLoUj3HTtd_BaX8YfeZiZ2G@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Tony Finch <dot@dotat.at>
Content-Type: multipart/alternative; boundary="0016e6465220b6f99a049b4d9332"
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, dnsext@ietf.org
Subject: Re: [dnsext] historal root keys for upgrade path?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Feb 2011 14:33:23 -0000

Unfortunately the ability to do a vanity key roll does not really help in
emergency planning.

We have many protocols that allow us to slot in new crypto but when the
pragmatics of deployment are considered they just simply don't work.


We are currently moving from 1024 bit RSA to 2048 and it is creating quite a
few issues despite the fact that almost everything that does 1024 does 2048.

The SHA-256 transition for SSL is going to be a major upheaval. MD5 to SHA1
was easy because everything supported SHA1. But only 50% of the base
supports SHA-256 if that.


On Wed, Feb 2, 2011 at 9:06 AM, Tony Finch <dot@dotat.at> wrote:

> On Wed, 2 Feb 2011, Jakob Schlyter wrote:
> >
> > I could not agree with you more - vanity key rollovers are not useful.
>
> How else can you know that a necessary rollover will work, e.g. to upgrade
> the key length or algorithm or because of an emergency?
>
> Tony.
> --
> f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
> HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO
> 7,
> DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR
> ROUGH. RAIN THEN FAIR. GOOD.
>



-- 
Website: http://hallambaker.com/

v2.23.0 | Report a Bug | By Email