Re: [dnsext] New Version Notification for draft-mcgrew-tss-02 (fwd)
Michael StJohns <mstjohns@comcast.net> Wed, 11 March 2009 22:59 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 00C5228C20D; Wed, 11 Mar 2009 15:59:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.94
X-Spam-Level:
X-Spam-Status: No, score=-0.94 tagged_above=-999 required=5 tests=[AWL=-0.503, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fdq1hJU5e6CV; Wed, 11 Mar 2009 15:59:27 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 0578E3A6957; Wed, 11 Mar 2009 15:59:26 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1LhXFJ-00053T-2k for namedroppers-data0@psg.com; Wed, 11 Mar 2009 22:49:53 +0000
Received: from [76.96.62.17] (helo=QMTA10.westchester.pa.mail.comcast.net) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <mstjohns@comcast.net>) id 1LhXF7-00051l-21 for namedroppers@ops.ietf.org; Wed, 11 Mar 2009 22:49:46 +0000
Received: from OMTA10.westchester.pa.mail.comcast.net ([76.96.62.28]) by QMTA10.westchester.pa.mail.comcast.net with comcast id Rv3n1b02j0cZkys5AyphWA; Wed, 11 Mar 2009 22:49:41 +0000
Received: from MIKES-LAPTOM.comcast.net ([68.48.0.201]) by OMTA10.westchester.pa.mail.comcast.net with comcast id Rypg1b00G4LCBKY3WypgdH; Wed, 11 Mar 2009 22:49:41 +0000
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Wed, 11 Mar 2009 18:49:40 -0400
To: David McGrew <mcgrew@cisco.com>
From: Michael StJohns <mstjohns@comcast.net>
Subject: Re: [dnsext] New Version Notification for draft-mcgrew-tss-02 (fwd)
Cc: Alfred HÎnes <ah@tr-sys.de>, dnsop@ietf.org, namedroppers@ops.ietf.org
In-Reply-To: <150BF658-516A-4643-A0C5-34AFADEE6700@cisco.com>
References: <150BF658-516A-4643-A0C5-34AFADEE6700@cisco.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
Message-Id: <E1LhXFJ-00053T-2k@psg.com>
At 06:27 PM 3/11/2009, David McGrew wrote: >Hi Mike, >>Hi Alfred - >>A better scheme for threshold signing for the root might be the >>Shoup paper: "Practical Threshold Signatures", Victor Shoup (sho@zurich.ibm.com ), IBM Research Paper RZ3121, 4/30/99 >>The major difference between the two is that the Shamir system >>(which you describe) requires the base secret (private key) be >>reconstituted (by a trusted entity) before it can be used, where the >>Shoup system allows partial signatures with a public gather >>function. E.g. In a 3 of 5 system, each of the 3 key share holders >>partial-sign the data using their share of the private key and send >>it (as public data) to a central location where a gather function is >>used to form the actual signature. >I agree that threshold signatures have nice security properties, and >that Shoup's PTS method looks good, especially because its signature- share generation step does not require any interaction between the >signers. > >As you say, the TSS draft lacks the partial-signature capability, but >TSS does have the benefit of simplicity. >>Shamir is nice in that it can be used for any set of key bits. But >>the reconstitution requirement is a point of weakness where the >>actual private key may be compromised. The Shoup system is only >>specified for RSA as far as I know. >Shoup's PTS method requires the use of a trusted dealer to generate >the private keys of all of the signers. So while it eliminates the >need for a trusted dealer during the signing step, it does not >eliminate that need entirely. (At least this is the case for the >paper that you cited above; if there is work that eliminates the >trusted dealer, I would be very interested to see it.) > >best regards, > >David Hi David - What I would recommend doing here is build a computer and set it up with no connections to the outside world. Load it with the generation software and the public keys of the N share holders. Connect it to a printer. Run the generation software and then print out the 5 public key wrapped shares armored as HEX ascii in an OCR font. Destroy the hard drive. Melt, burn, magnetize, disassemble, etc. Send the wrapped shares off to the various share holders. Have them OCR them into the encrypted key shares they'll use later to do the signing. The ceremony for doing the generation in a reasonably trusted manner and ensuring that information doesn't leak is manageable.. :-) But it would be nice if we didn't need a trusted dealer.... Mike -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- [dnsext] New Version Notification for draft-mcgre… Alfred Hönes
- Re: [dnsext] New Version Notification for draft-m… Michael StJohns
- Re: [dnsext] New Version Notification for draft-m… bmanning
- Re: [dnsext] New Version Notification for draft-m… Michael StJohns
- Re: [dnsext] New Version Notification for draft-m… Michael StJohns
- Re: [dnsext] New Version Notification for draft-m… David McGrew