IETF Logo Mail Archive

Re: Standardize RSA/SHA256 ?

Simon Josefsson <jas@extundo.com> Fri, 12 May 2006 09:58 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FeUPm-0002wk-QE for dnsext-archive@lists.ietf.org; Fri, 12 May 2006 05:58:30 -0400
Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FeUPl-0000pn-9g for dnsext-archive@lists.ietf.org; Fri, 12 May 2006 05:58:30 -0400
Received: from majordom by psg.com with local (Exim 4.60 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1FeUN8-000EAa-V3 for namedroppers-data@psg.com; Fri, 12 May 2006 09:55:46 +0000
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,FORGED_RCVD_HELO autolearn=ham version=3.1.1
Received: from [217.13.230.178] (helo=yxa.extundo.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.60 (FreeBSD)) (envelope-from <jas@extundo.com>) id 1FeUN4-000E9g-Ut for namedroppers@ops.ietf.org; Fri, 12 May 2006 09:55:43 +0000
Received: from localhost.localdomain (yxa.extundo.com [217.13.230.178]) (authenticated bits=0) by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge1) with ESMTP id k4C9t6sY006505 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 12 May 2006 11:55:07 +0200
From: Simon Josefsson <jas@extundo.com>
To: Jelte Jansen <jelte@NLnetLabs.nl>
Cc: namedroppers@ops.ietf.org
Subject: Re: Standardize RSA/SHA256 ?
References: <6.2.5.6.2.20060508094001.03182b80@ogud.com> <Pine.LNX.4.44.0605091629550.31070-100000@citation2.av8.net> <87vesecle7.fsf@latte.josefsson.org> <44644DBB.3080605@NLnetLabs.nl>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:060512:jelte@nlnetlabs.nl::QNiohHBTV4FDGlxb:7Mmc
X-Hashcash: 1:22:060512:namedroppers@ops.ietf.org::vuIN/3JhCGksX6A4:vdTG
Date: Fri, 12 May 2006 11:54:56 +0200
In-Reply-To: <44644DBB.3080605@NLnetLabs.nl> (Jelte Jansen's message of "Fri, 12 May 2006 10:56:27 +0200")
Message-ID: <871wuzbma7.fsf@latte.josefsson.org>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on yxa.extundo.com
X-Virus-Status: Clean
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 21c69d3cfc2dd19218717dbe1d974352

Jelte Jansen <jelte@NLnetLabs.nl> writes:

>> 
>>> For the above reasons, I think that we have time to consider the
>>> correct course of action. There is no need to rush into more
>>> algorithms which require more code on nameservers and resolvers.
>> 
>> Yes, or at least, we need to document a more compelling reason to do
>> RSA-SHA-265.
>> 
>
> So why is this an issue for RSA/SHA256, and not for
> draft-ietf-dnsext-ds-sha256-05.txt, which also makes SHA256 mandatory?

I suppose it applies to both.

Changing the RSA signature algorithm also begs the question: Do we
want to move to RSA-PSS?  See PKCS#1 2.1 in RFC 3447.

I believe RFC 3447, and RSA Labs has encouraged a gradual shift from
RSA-PKCS#1 1.5 to RSA-PSS for a few years now:

http://www.rsasecurity.com/rsalabs/node.asp?id=2005

One advantage with RSA-PSS is that it is easier to analyse
theoretically, and there are security proofs for it.

One disadvantage is that RSA-PSS requires entropy during signing.

> btw, both drafts don't deprecate SHA-1 but do assume that SHA256 is
> stronger and contain text about downgrade attacks based on this assumption.

Ólafur wrote:

Q3: My personal opinion not speaking as a chair:
        If RSA/SHA256 is specified then RSA/SHA1 should be
        tagged as "Not recommended".

/Simon

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email