Re: [DNSOP] code points for brainpool curves for DNSSEC
"Patrik Fältström " <paf@frobbit.se> Thu, 10 December 2015 09:15 UTC
Return-Path: <paf@frobbit.se>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A51B1A8793; Thu, 10 Dec 2015 01:15:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.261
X-Spam-Level:
X-Spam-Status: No, score=-1.261 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SSYg_XLEOTGW; Thu, 10 Dec 2015 01:15:54 -0800 (PST)
Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F283B1A878B; Thu, 10 Dec 2015 01:15:53 -0800 (PST)
Received: from [77.72.227.183] (dyn-fg142.sth.netnod.se [77.72.226.142]) by mail.frobbit.se (Postfix) with ESMTPSA id 3B3491FD73; Thu, 10 Dec 2015 10:15:52 +0100 (CET)
From: Patrik Fältström <paf@frobbit.se>
To: Ólafur Guðmundsson <olafur@cloudflare.com>
Date: Thu, 10 Dec 2015 10:15:51 +0100
Message-ID: <A9FD5B6A-08B9-475E-BFFB-CAF6DE65BC66@frobbit.se>
In-Reply-To: <CAN6NTqyy5756kCGXg_vJeUL6kXLgRFJdSCav67QNpOAXdSbZaw@mail.gmail.com>
References: <56686C32.6090400@cs.tcd.ie> <56686C47.3070305@cs.tcd.ie> <CAN6NTqyy5756kCGXg_vJeUL6kXLgRFJdSCav67QNpOAXdSbZaw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_375136D8-ADDD-41DE-BF52-6FC34777D066_="; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-Mailer: MailMate (1.9.3r5187)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/LBsDBUH7vP5Hmgb0PzkgGrPsA-4>
Cc: dnsop <dnsop@ietf.org>, saag@ietf.org, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [DNSOP] code points for brainpool curves for DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2015 09:15:55 -0000
I have nothing to add to what Ólafur wrote below. I agree with his statement. Patrik On 10 Dec 2015, at 1:33, Ólafur Guðmundsson wrote: > Stephen, > > Sorry for being so blunt below. > > The document totally content free as to why this makes any sense in an operational context. > DNSSEC algorithms should not be given out lightly as there is a significant COST to deploy support for each additional algorithm. > > While I strongly support having better ECC algorithm that the currently specified curves, adding a new ones SHOULD take place via a performance oriented process. > Thus I strongly advocate that this publication be held up until we can compare this curve with other curves being proposed. > > Background I'm currently fighting an multifaceted battle to have various entities adding support for ECDSAP256, specified over 3 years ago. > > Adding and deploying a new DNSKEY algorithm does not just require changes to > -- DNS servers, libraries and resolvers. > > That is just the top of the iceberg, but also to > - DNS provisioning systems, DNSSEC signing systems, DNS testing tools, - user interfaces for registrars, hosting providers, third party DNS operators, CDN's, etc. > - TLD and ccTLD policy documents, EPP implementations, plus in some cases security evaluations, > - not to mention firewalls, network monitoring tools .... > and number of other things I had no idea existed and majority of which is not maintained anymore. > > There are only so many times that one can get everyone's attention to upgrade DNS stuff, thus requiring the change process to be run should not be taken lightly. > If on the other hand if the editors are only interested in vanity algorithm assignment without any deployment then ........... > > Olafur > > > On Wed, Dec 9, 2015 at 4:00 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> > wrote: > >> >> >> >> -------- Forwarded Message -------- >> Subject: code points for brainpool curves for DNSSEC >> Date: Wed, 9 Dec 2015 18:00:18 +0000 >> From: Stephen Farrell <stephen.farrell@cs.tcd.ie> >> To: saag@ietf.org >> >> >> Hiya, >> >> The brainpool folks have written an I-D [1] that they are pushing >> through the rfc editor's independent stream. [2] >> >> That I-D wants to register code points for using their curves for >> DNSSEC. >> >> For documents that come through the independent stream, the IESG >> does an RFC 5742 [3] conflict review. The purpose of that review >> is to check that the RFC doesn't conflict with ongoing work in >> the IETF. >> >> If you have thoughts on this, please let me know before Dec 17th. >> I'll forward this to the dnsop, cfrg and curdle mailing lists >> to check there too. Apologies if you get >1 copy of this. Please >> try follow up on the saag list if you can. >> >> Thanks, >> Stephen. >> >> >> [1] https://tools.ietf.org/html/draft-schmidt-brainpool-dnssec >> [2] https://www.rfc-editor.org/pubprocess/ >> [3] https://tools.ietf.org/html/rfc5742 >> >> >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop >> > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] Fwd: code points for brainpool curves for… Stephen Farrell
- Re: [DNSOP] [saag] code points for brainpool curv… Phillip Hallam-Baker
- Re: [DNSOP] Fwd: code points for brainpool curves… Ólafur Guðmundsson
- Re: [DNSOP] code points for brainpool curves for … Patrik Fältström
- [DNSOP] Fwd: Re: [saag] code points for brainpool… Stephen Farrell
- Re: [DNSOP] Fwd: Re: [saag] code points for brain… Edward Lewis
- Re: [DNSOP] Fwd: Re: [saag] code points for brain… Edward Lewis