IETF Logo Mail Archive

Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.

Evan Hunt <each@isc.org> Mon, 22 February 2010 17:26 UTC

Return-Path: <each@isc.org>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2C80828C119 for <dnsop@core3.amsl.com>; Mon, 22 Feb 2010 09:26:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.599
X-Spam-Level:
X-Spam-Status: No, score=-5.599 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Av1nJIgjvvMp for <dnsop@core3.amsl.com>; Mon, 22 Feb 2010 09:26:02 -0800 (PST)
Received: from farside.isc.org (farside.isc.org [204.152.187.5]) by core3.amsl.com (Postfix) with ESMTP id 653FC28C0E5 for <dnsop@ietf.org>; Mon, 22 Feb 2010 09:26:02 -0800 (PST)
Received: by farside.isc.org (Postfix, from userid 10292) id 71DE6E60B6; Mon, 22 Feb 2010 17:23:25 +0000 (UTC)
Date: Mon, 22 Feb 2010 17:23:25 +0000
From: Evan Hunt <each@isc.org>
To: Roy Arends <roy@dnss.ec>
Message-ID: <20100222172325.GC99592@isc.org>
References: <4B807DC0.9050807@ogud.com> <315AD36E-879A-4512-A6A8-B64372E3D3CF@sinodun.com> <201002220022.o1M0M3qR048760@drugs.dv.isc.org> <A8EB3AAE-0DA6-4C4E-B2D1-E548884F63D5@dnss.ec> <4B8251E9.70904@nlnetlabs.nl> <699B9362-B927-4148-B79E-2AEB6D713BE8@dnss.ec> <4B82897F.7080000@nlnetlabs.nl> <9C97F5BFBD540A6242622CC7@Ximines.local> <20100222161251.GA99592@isc.org> <FD83B7A9-583C-4E6C-9301-414D043DBB08@dnss.ec>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <FD83B7A9-583C-4E6C-9301-414D043DBB08@dnss.ec>
User-Agent: Mutt/1.4.2.3i
Cc: dnsop@ietf.org, "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>, Alex Bligh <alex@alex.org.uk>
Subject: Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Feb 2010 17:26:03 -0000

> This is absurd. If we're going to do this, I'd like the security
> considerations to reflect all of the non-zero probabilities of errors
> occuring (those that have a higher probability).

I just answered this point in private mail to someone else, failing to
realize until after I'd sent it that it was off-list, so I'll repeat
myself...

My point is not to say that hash collisions are a problem or that NSEC3 is
a poor choice.  My point is that it's bad form to make mathematically false
statements--even if they're *almost completely* true--and especially so
when you get anywhere near cryptographers.

"NSEC3 is exactly as good as NSEC" is a mathematical statement.  It's very,
very close to true, but in math that still makes it false.  "NSEC3 is as
good as NSEC except under conditions so fantastically improbable that it's
safe to ignore them" is a few more words, but has the benefit of actually
being *true*, and I think that's what the draft should say.

-- 
Evan Hunt -- each@isc.org
Internet Systems Consortium, Inc.

v2.23.0 | Report a Bug | By Email