IETF Logo Mail Archive

Re: [dnsext] I-D Action: draft-ietf-dnsext-dnssec-algo-imp-status-04.txt

Joe Abley <jabley@hopcount.ca> Mon, 11 March 2013 20:00 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF80E21F8CB8 for <dnsext@ietfa.amsl.com>; Mon, 11 Mar 2013 13:00:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.436
X-Spam-Level:
X-Spam-Status: No, score=-101.436 tagged_above=-999 required=5 tests=[AWL=-0.388, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PKKQpEMeCZiK for <dnsext@ietfa.amsl.com>; Mon, 11 Mar 2013 13:00:55 -0700 (PDT)
Received: from mail-ia0-x22e.google.com (mail-ia0-x22e.google.com [IPv6:2607:f8b0:4001:c02::22e]) by ietfa.amsl.com (Postfix) with ESMTP id F126121F8C09 for <dnsext@ietf.org>; Mon, 11 Mar 2013 13:00:51 -0700 (PDT)
Received: by mail-ia0-f174.google.com with SMTP id k38so2348407iah.5 for <dnsext@ietf.org>; Mon, 11 Mar 2013 13:00:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; bh=A7Evghp+LNuskpPWjeuWmrxN20kj39XiSK6BbLZgqnY=; b=bP8nXJwC9YAz6+F4uuQlGzo3o/eiqA/nK0bgIxseRipCtmMuj2KMBBSmeIPki/JdAL YrSUNyzsX3do1jaWrH0xDJUBklIfNusB1HzS0Kg/Y6ceym+tiuFD0j8YQV+ny4kg3XRo Eq8W1BwzjyhKSDvtf146ckPWuDTU+yhkTONCI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=A7Evghp+LNuskpPWjeuWmrxN20kj39XiSK6BbLZgqnY=; b=Rx+hhEBCpsZl43g739T6+bkyTj/9ETXzH0eFubzV+p+CMmrJfeD527Ut+f2hF36V0w 3S86KgHWpI2Lpe9ev+WGngQzPqw/79hVVSqJz9Z3LZPRRhZWTgE+MB7XHOrCAoea2TaD rGHOouL+z+VuLFmW7B8YWHSiCIkJXLdwY6gMYXirJQkiCPZWVI+qNTv77SrRb2cCjDF4 VLtLVuDFU9kVNWqb6JNdJgNJdQsnA59/AQsbQe1F0BeCrrfmuT8GXYtm6ha63xaBUspJ 5NaPOihKnPbRF6Y7F2OFQNOgDHSW/cw5vUdh/SNSGq3G/XTTm0AkXf5FK1YazpBv3W4N FgZA==
X-Received: by 10.42.30.132 with SMTP id v4mr9777237icc.34.1363032051408; Mon, 11 Mar 2013 13:00:51 -0700 (PDT)
Received: from [10.254.50.227] ([64.235.96.2]) by mx.google.com with ESMTPS id g6sm14658197ign.4.2013.03.11.13.00.49 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 11 Mar 2013 13:00:50 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <20130311194317.GA38441@crankycanuck.ca>
Date: Mon, 11 Mar 2013 16:01:04 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <FBCCECBD-43DC-46F1-911F-B06ED43E10C3@hopcount.ca>
References: <20130311152035.4888.59295.idtracker@ietfa.amsl.com> <20130311191607.GF38303@crankycanuck.ca> <E99C99C9-73E1-43F8-B09E-B28CA138F526@hopcount.ca> <20130311194317.GA38441@crankycanuck.ca>
To: Andrew Sullivan <ajs@anvilwalrusden.com>
X-Mailer: Apple Mail (2.1499)
X-Gm-Message-State: ALoCoQlbNgmwWkRwCP1XtF5GRe4K/PgGPoMd3TvIG+Wc25iyWnvWRc2qaBQctu8ifw4XrJkqyi+G
Cc: dnsext@ietf.org
Subject: Re: [dnsext] I-D Action: draft-ietf-dnsext-dnssec-algo-imp-status-04.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2013 20:00:56 -0000

On 2013-03-11, at 15:43, Andrew Sullivan <ajs@anvilwalrusden.com> wrote:

> What about "Because this document establishes the implementation
> status of every algorithm, it should be listed as a reference for the
> registry itself (leaving in place the individual entries for the
> algorithms referring to the documents that specify them)." ?

That seems like it would have eliminated my confusion. Perhaps also explicitly state that this document aims to classify existing and all future algorithms that might be standardised, until replaced. This could be done by adding to the table earlier in the document make it clear explicitly that "Optional" includes all future algorithms.

    +------------+------------+-------------------+-------------------+
    |    Must    |  Must Not  |    Recommended    |      Optional     |
    |  Implement | Implement  |   to Implement    |                   |
    +------------+------------+-------------------+-------------------+
    |            |            |                   |                   |
    |   RSASHA1  |   RSAMD5   |   RSASHA256       |   Any             |
    |            |            |   RSASHA1-NSEC3   |   registered      |
    |            |            |    -SHA1          |   algorithm       |
    |            |            |   RSASHA512       |   not listed in   |
    |            |            |   ECDSAP256SHA256 |   this table      |
    |            |            |   ECDSAP384SHA384 |                   |
    +------------+------------+-------------------+-------------------+

REMOVE:

  Any registered algorithm not listed in this table

ADD:

  Any registered algorithm not listed in this table, including any algorithm registered in the future.

One further comment, the document justifies as "recommended" ECDSA on the grounds that they might be popular in the future because they feature small key sizes.

   Likewise, ECDSA with the two identified curves (ECDSAP256SHA256 and
   ECDSAP384SHA384) are algorithms that may see widespread use due to
   the perceived similar level of security offered with smaller key size
   compared to the key sizes of algorithms such as RSA.  Therefore,
   ECDSAP256SHA256 and ECDSAP384SHA384 are Recommended to Implement.

ECC-GOST are not recommended, although I believe they have the same advantages. Arguably ECC-GOST has been around for longer, and hence has an advantage over ECDSA. Both have stable references, in English, in the RFC series. What is the reason for appearing to promote one over the other?

> Note that the last part of your "ADD" is explicitly disallowed.  Any
> future entry is either Optional (in which case no new entry is
> needed), or else this entire document needs to be made obsolete and
> replaced.  

That's clear, now, and seems like a reasonable approach.


Joe

v2.23.0 | Report a Bug | By Email