Re: [dnsext] NSEC3 and elliptic curve signatures
Francis Dupont <Francis.Dupont@fdupont.fr> Fri, 17 September 2010 14:17 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 191283A63EC; Fri, 17 Sep 2010 07:17:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jceOQw0D2-f6; Fri, 17 Sep 2010 07:17:33 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 100CC3A6359; Fri, 17 Sep 2010 07:17:32 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1Owbg2-0008XU-S6 for namedroppers-data0@psg.com; Fri, 17 Sep 2010 14:12:34 +0000
Received: from givry.fdupont.fr ([2001:41d0:1:6d55:211:5bff:fe98:d51e]) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72 (FreeBSD)) (envelope-from <Francis.Dupont@fdupont.fr>) id 1Owbfz-0008X1-NG for namedroppers@ops.ietf.org; Fri, 17 Sep 2010 14:12:32 +0000
Received: from givry.fdupont.fr (localhost [127.0.0.1]) by givry.fdupont.fr (8.14.3/8.14.3) with ESMTP id o8HECSac008010; Fri, 17 Sep 2010 14:12:28 GMT (envelope-from dupont@givry.fdupont.fr)
Message-Id: <201009171412.o8HECSac008010@givry.fdupont.fr>
From: Francis Dupont <Francis.Dupont@fdupont.fr>
To: Paul Hoffman <paul.hoffman@vpnc.org>
cc: namedroppers@ops.ietf.org
Subject: Re: [dnsext] NSEC3 and elliptic curve signatures
In-reply-to: Your message of Thu, 16 Sep 2010 09:55:59 PDT. <p06240834c8b7fa996ee1@[10.20.30.158]>
Date: Fri, 17 Sep 2010 16:12:28 +0200
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>
In your previous mail you wrote: Do folks here think that draft-hoffman-dnssec-ecdsa should have suggested RFC 5155 iteration counts? => I think so. I suggest: you pick a stock hardware, evaluate performance, compute proportional maximum iteration counts, and put values in the next version of the draft if needed, i.e., if the reasoning for DSA apply for ECDSA too: The ratio between SHA-1 calculation and DSA verification is higher (1500 to 1 for keys of size 1024). A higher iteration count degrades performance, while DSA verification is already more expensive than RSA for the same key size. Therefore the values in the table MUST be used independent of the key algorithm. IMHO it applies and the 150 default maximum value is still fine, but it should be checked and written down. Thanks Francis.Dupont@fdupont.fr
- [dnsext] NSEC3 and elliptic curve signatures Paul Hoffman
- Re: [dnsext] NSEC3 and elliptic curve signatures Rose, Scott W.
- Re: [dnsext] NSEC3 and elliptic curve signatures Francis Dupont