Re: [dnsext] draft-hoffman-dnssec-ecdsa-04

Francis Dupont <Francis.Dupont@fdupont.fr> Thu, 12 April 2012 11:17 UTC

Return-Path: <Francis.Dupont@fdupont.fr>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1502421F8533 for <dnsext@ietfa.amsl.com>; Thu, 12 Apr 2012 04:17:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.509
X-Spam-Level:
X-Spam-Status: No, score=-2.509 tagged_above=-999 required=5 tests=[AWL=0.090, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nSsGikce81rS for <dnsext@ietfa.amsl.com>; Thu, 12 Apr 2012 04:17:20 -0700 (PDT)
Received: from givry.fdupont.fr (givry.fdupont.fr [IPv6:2001:41d0:1:6d55:211:5bff:fe98:d51e]) by ietfa.amsl.com (Postfix) with ESMTP id 3593721F84DA for <dnsext@ietf.org>; Thu, 12 Apr 2012 04:17:20 -0700 (PDT)
Received: from givry.fdupont.fr (localhost [127.0.0.1]) by givry.fdupont.fr (8.14.3/8.14.3) with ESMTP id q3CBHIi5033363; Thu, 12 Apr 2012 13:17:18 +0200 (CEST) (envelope-from dupont@givry.fdupont.fr)
Message-Id: <201204121117.q3CBHIi5033363@givry.fdupont.fr>
From: Francis Dupont <Francis.Dupont@fdupont.fr>
To: Miek Gieben <miek@miek.nl>
In-reply-to: Your message of Thu, 12 Apr 2012 09:14:21 +0200. <20120412071421.GA19834@miek.nl>
Date: Thu, 12 Apr 2012 13:17:18 +0200
Sender: Francis.Dupont@fdupont.fr
Cc: dnsext WG <dnsext@ietf.org>
Subject: Re: [dnsext] draft-hoffman-dnssec-ecdsa-04
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Apr 2012 11:17:21 -0000

 In your previous mail you wrote:

>  I've (re)read and implemented dnssec-ecdsa-04 in some code. During that
>  process I got some questions about it:
>  
>  * Section 1: It says ECDSA is 20 times faster than RSA for signing
>      and 5 times slower for validating. Shouldn't that require a reference?

=> I got the same differences at a lower level. BTW it seems both RSA and
ECDSA are very sensible to optimizations, the only thing which seems
unlikely is ECDSA signing not very faster than RSA signing, and ECDSA
validating faster than RSA.

>  * Section 4: How should I know that, x and y are of equal length?

=> as the public key is an opaque bit string I don't believe it matters
(and if you need to know the FIPS 186-3 should provide all details).

>  * Section 4: Same question for r and s?

=> in fact they can get leading zeros so not the length you expect.
IMHO the critical thing is (quoting the I-D):
   For P-256, each integer MUST be encoded as 32 octets; for
   P-384, each integer MUST each be encoded as 48 octets.

>  * Section 6: In the examples the privatekey file is shown. I
>    haven't seen (or can't remember) this in any previous RFC
>    specifing new algorithms for DNSKEYs. Also all other (DSA/RSA)
>    .priv key files (as generated by BIND) put the public key info
>    in the .priv file, this one is an exception. Why?

=> RFC 5933 (about GOST for DNSSEC, which is BTW another EC stuff).

>      (My local elliptic curve documentation tells me the the private
>      key consists out of the public key and a bigInt called D)

=> usually the public key is not considered as being a part of the
private key. I know some PKCS#11 devices which don't return the public
values when a RSA private key is looked up (note IMHO it is a bad
behavior). Here it is clear the private key is a bigInt.

Thanks

Francis.Dupont@fdupont.fr

PS: as far as I can see the example is hard to use to test code:
the only thing you can do is to validate old/expired signatures...
PPS: the crypto answer is Q = dG so the public key Q is trivial to
compute from the private key d and the curve parameters (which
includes the generator G).