Re: [dnsext] Adopting draft: draft-hoffman-dnssec-ecdsa-04.txt
Alex Bligh <alex@alex.org.uk> Fri, 07 January 2011 15:24 UTC
Return-Path: <alex@alex.org.uk>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BCC223A68F1 for <dnsext@core3.amsl.com>; Fri, 7 Jan 2011 07:24:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iOrI+bLoK-+G for <dnsext@core3.amsl.com>; Fri, 7 Jan 2011 07:24:07 -0800 (PST)
Received: from mail.avalus.com (mail.avalus.com [89.16.176.221]) by core3.amsl.com (Postfix) with ESMTP id B723A3A68F7 for <dnsext@ietf.org>; Fri, 7 Jan 2011 07:24:07 -0800 (PST)
Received: from [192.168.100.15] (87-194-71-186.bethere.co.uk [87.194.71.186]) by mail.avalus.com (Postfix) with ESMTPSA id 4210CC562F3; Fri, 7 Jan 2011 15:26:12 +0000 (GMT)
Date: Fri, 07 Jan 2011 15:26:11 +0000
From: Alex Bligh <alex@alex.org.uk>
To: Phillip Hallam-Baker <hallam@gmail.com>, cet1@cam.ac.uk
Message-ID: <359091FCD895EA0C271718D9@Ximines.local>
In-Reply-To: <AANLkTimnz9CBDbjXc0V2=zdM6PZnSs4_+ZaEL8CCVbXk@mail.gmail.com>
References: <4D014A84.5070204@ogud.com> <4D2390DE.8050409@ogud.com> <4D23A061.3060501@vpnc.org> <4D248950.3040208@ogud.com> <4D248A72.5010404@vpnc.org> <a06240801c94a3ed54f9e@10.31.200.116> <Prayer.1.3.3.1101051839410.18449@hermes-2.csi.cam.ac.uk> <AANLkTimnz9CBDbjXc0V2=zdM6PZnSs4_+ZaEL8CCVbXk@mail.gmail.com>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: Edward Lewis <Ed.Lewis@neustar.biz>, Paul Hoffman <paul.hoffman@vpnc.org>, dnsext@ietf.org
Subject: Re: [dnsext] Adopting draft: draft-hoffman-dnssec-ecdsa-04.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Alex Bligh <alex@alex.org.uk>
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jan 2011 15:24:08 -0000
--On 7 January 2011 09:32:56 -0500 Phillip Hallam-Baker <hallam@gmail.com> wrote: > All non-mandatory crypto would use ASN.1 OIDs to declare the algorithm > type. In the case of DNSSEC this would require an approach similar to > the one that the OID based CERT type uses. There would be a code point > reserved for identifying the algorithm by ASN.1 oid and a defined > mechanism for squeezing in the OID as a prefix to the crypto material. ... > The only interoperability concern should be that applications that > support a common algorithm be able to use it to communicate. That > means that they all use the same code points to identify the same > algorithm. ... > The fact that the OID registry is open and has no gating factor is a > good thing. No gate means no endorsement. If we had used ASN.1 OIDs to > identify algorithms there would be no RFC 5933, there would be no > mention of GOST in RFCs at all unless there was a decision to adopt it > as a mandatory to implement algorithm (which the GRU would not want in > any case since their whole purpose requires use of a different > algorithm). Q: is there sufficient standardisation within the ASN.1 OIDs that if a new crypto type FOO comes along, then 2 implementations, working solely from the OID, they can necessarily interoperate? IE will they thoroughly specify whether FOO options X and Y have to be supported, wire format, etc? To illustrate what I mean, I include below a section from the OpenSSH-5.7 testing release notes. I know ssh != DNSSEC, but I suspect support for a new algorithm might not be as simply described as whether a single ID. -- Alex Bligh * Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656) is NOT implemented. Certificate host and user keys using the new ECDSA key types are supported - an ECDSA key may be certified, and an ECDSA key may act as a CA to sign certificates. ECDH in a 256 bit curve field is the preferred key agreement algorithm when both the client and server support it. ECDSA host keys are preferred when learning a host's keys for the first time.
- [dnsext] Adopting draft: draft-hoffman-dnssec-ecd… Olafur Gudmundsson
- Re: [dnsext] Adopting draft: draft-hoffman-dnssec… Francis Dupont
- Re: [dnsext] Adopting draft: draft-hoffman-dnssec… Alfred Hönes
- Re: [dnsext] Adopting draft: draft-hoffman-dnssec… Rose, Scott W.
- Re: [dnsext] Adopting draft: draft-hoffman-dnssec… Matthijs Mekking
- Re: [dnsext] Adopting draft: draft-hoffman-dnssec… Olafur Gudmundsson
- Re: [dnsext] Adopting draft: draft-hoffman-dnssec… Paul Hoffman
- Re: [dnsext] Adopting draft: draft-hoffman-dnssec… Olafur Gudmundsson
- Re: [dnsext] Adopting draft: draft-hoffman-dnssec… Paul Hoffman
- Re: [dnsext] Adopting draft: draft-hoffman-dnssec… Olafur Gudmundsson
- Re: [dnsext] Adopting draft: draft-hoffman-dnssec… Edward Lewis
- Re: [dnsext] Adopting draft: draft-hoffman-dnssec… Paul Hoffman
- Re: [dnsext] Adopting draft: draft-hoffman-dnssec… Basil Dolmatov
- Re: [dnsext] Adopting draft: draft-hoffman-dnssec… Paul Hoffman
- [dnsext] strngths, was Re: Adopting draft:... Edward Lewis
- Re: [dnsext] Adopting draft: draft-hoffman-dnssec… Chris Thompson
- Re: [dnsext] Adopting draft: draft-hoffman-dnssec… Basil Dolmatov
- Re: [dnsext] strngths, was Re: Adopting draft:... Paul Hoffman
- Re: [dnsext] Adopting draft: draft-hoffman-dnssec… Paul Hoffman
- Re: [dnsext] Adopting draft: draft-hoffman-dnssec… Paul Hoffman
- Re: [dnsext] strngths, was Re: Adopting draft:... Edward Lewis
- [dnsext] RFC 4509 was Re: Adopting draft: draft-h… Edward Lewis
- Re: [dnsext] Adopting draft: draft-hoffman-dnssec… Jeffrey A. Williams
- Re: [dnsext] strngths, was Re: Adopting draft:... Paul Hoffman
- Re: [dnsext] strngths, was Re: Adopting draft:... Brian Dickson
- Re: [dnsext] Adopting draft: draft-hoffman-dnssec… Francis Dupont
- Re: [dnsext] Adopting draft: draft-hoffman-dnssec… Dmitry Burkov
- Re: [dnsext] strngths, was Re: Adopting draft:... Florian Weimer
- Re: [dnsext] Adopting draft: draft-hoffman-dnssec… Phillip Hallam-Baker
- Re: [dnsext] Adopting draft: draft-hoffman-dnssec… Florian Weimer
- Re: [dnsext] Adopting draft: draft-hoffman-dnssec… Alex Bligh
- Re: [dnsext] Adopting draft: draft-hoffman-dnssec… Phillip Hallam-Baker
- Re: [dnsext] Adopting draft: draft-hoffman-dnssec… Paul Hoffman
- Re: [dnsext] Adopting draft: draft-hoffman-dnssec… Phillip Hallam-Baker
- Re: [dnsext] strngths, was Re: Adopting draft:... Colm MacCárthaigh