IETF Logo Mail Archive

Re: [DNSOP] code points for brainpool curves for DNSSEC

"Patrik Fältström " <paf@frobbit.se> Thu, 10 December 2015 09:15 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A51B1A8793; Thu, 10 Dec 2015 01:15:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.261
X-Spam-Level:
X-Spam-Status: No, score=-1.261 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SSYg_XLEOTGW; Thu, 10 Dec 2015 01:15:54 -0800 (PST)
Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F283B1A878B; Thu, 10 Dec 2015 01:15:53 -0800 (PST)
Received: from [77.72.227.183] (dyn-fg142.sth.netnod.se [77.72.226.142]) by mail.frobbit.se (Postfix) with ESMTPSA id 3B3491FD73; Thu, 10 Dec 2015 10:15:52 +0100 (CET)
From: Patrik Fältström <paf@frobbit.se>
To: Ólafur Guðmundsson <olafur@cloudflare.com>
Date: Thu, 10 Dec 2015 10:15:51 +0100
Message-ID: <A9FD5B6A-08B9-475E-BFFB-CAF6DE65BC66@frobbit.se>
In-Reply-To: <CAN6NTqyy5756kCGXg_vJeUL6kXLgRFJdSCav67QNpOAXdSbZaw@mail.gmail.com>
References: <56686C32.6090400@cs.tcd.ie> <56686C47.3070305@cs.tcd.ie> <CAN6NTqyy5756kCGXg_vJeUL6kXLgRFJdSCav67QNpOAXdSbZaw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_375136D8-ADDD-41DE-BF52-6FC34777D066_="; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-Mailer: MailMate (1.9.3r5187)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/LBsDBUH7vP5Hmgb0PzkgGrPsA-4>
Cc: dnsop <dnsop@ietf.org>, saag@ietf.org, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [DNSOP] code points for brainpool curves for DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2015 09:15:55 -0000

I have nothing to add to what Ólafur wrote below. I agree with his statement.

   Patrik

On 10 Dec 2015, at 1:33, Ólafur Guðmundsson wrote:

> Stephen,
>
> Sorry for being so blunt below.
>
> The document totally content free as to why this makes any sense in an operational context.
> DNSSEC algorithms should not be given out lightly as there is a significant COST to deploy support for each additional algorithm.
>
> While I strongly support having better ECC algorithm that the currently specified curves, adding a new ones SHOULD take place via a performance oriented process.
> Thus I strongly advocate that this publication be held up until we can compare this curve with other curves being proposed.
>
> Background I'm currently fighting an multifaceted battle to have various entities adding support for ECDSAP256, specified over 3 years ago.
>
> Adding and deploying a new DNSKEY algorithm does not just require changes to
> -- DNS servers, libraries and resolvers.
>
> That is just the top of the iceberg,  but also to
> -  DNS provisioning systems, DNSSEC signing systems, DNS testing tools, - user interfaces for registrars, hosting providers, third party DNS operators, CDN's,  etc.
> - TLD and ccTLD policy documents, EPP implementations, plus in some cases security evaluations,
> - not to mention firewalls, network monitoring tools ....
> and number of other things I had no idea existed and majority of which is not maintained anymore.
>
> There are only so many times that one can get everyone's attention to upgrade DNS stuff, thus requiring the change process to be run should not be taken lightly.
> If on the other hand if the editors are only interested in vanity algorithm assignment without any deployment then ...........
>
> Olafur
>
>
> On Wed, Dec 9, 2015 at 4:00 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie>
> wrote:
>
>>
>>
>>
>> -------- Forwarded Message --------
>> Subject: code points for brainpool curves for DNSSEC
>> Date: Wed, 9 Dec 2015 18:00:18 +0000
>> From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
>> To: saag@ietf.org
>>
>>
>> Hiya,
>>
>> The brainpool folks have written an I-D [1] that they are pushing
>> through the rfc editor's independent stream. [2]
>>
>> That I-D wants to register code points for using their curves for
>> DNSSEC.
>>
>> For documents that come through the independent stream, the IESG
>> does an RFC 5742 [3] conflict review. The purpose of that review
>> is to check that the RFC doesn't conflict with ongoing work in
>> the IETF.
>>
>> If you have thoughts on this, please let me know before Dec 17th.
>> I'll forward this to the dnsop, cfrg and curdle mailing lists
>> to check there too. Apologies if you get >1 copy of this. Please
>> try follow up on the saag list if you can.
>>
>> Thanks,
>> Stephen.
>>
>>
>> [1] https://tools.ietf.org/html/draft-schmidt-brainpool-dnssec
>> [2] https://www.rfc-editor.org/pubprocess/
>> [3] https://tools.ietf.org/html/rfc5742
>>
>>
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email