Re: [DNSOP] Whiskey Tango Foxtrot on key lengths...
Phillip Hallam-Baker <hallam@gmail.com> Fri, 28 March 2014 13:06 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E19531A08A5 for <dnsop@ietfa.amsl.com>; Fri, 28 Mar 2014 06:06:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uvOPrOKdbXt5 for <dnsop@ietfa.amsl.com>; Fri, 28 Mar 2014 06:06:20 -0700 (PDT)
Received: from mail-lb0-x22c.google.com (mail-lb0-x22c.google.com [IPv6:2a00:1450:4010:c04::22c]) by ietfa.amsl.com (Postfix) with ESMTP id D2DA21A0671 for <dnsop@ietf.org>; Fri, 28 Mar 2014 06:06:19 -0700 (PDT)
Received: by mail-lb0-f172.google.com with SMTP id c11so3679097lbj.17 for <dnsop@ietf.org>; Fri, 28 Mar 2014 06:06:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=DrWKjT+LBj9ROg8eUQNRdpZwgPpn9lVN69xDAs8FYUs=; b=cyPBQviXFEhEb4EHNAcBVLUatGYAE4fgb4zwOH0rKeijlo+XeMY6uNT+XwfU54BDE4 NRRe2DkFRJPKCZgnjrpjx6DfYnKn5XF2EtYYmStjWRQF+g2ib+PF9N+cws0RYCGfG2us cpbPIMnlC/grB6SObpvOJ2CzEk5OV9ZuK8EIb3DVipwf0WmkYEzyUlE5FNGSmgZiz/Tq 7UA55S514IhaxZdtlsGKP6yCzKlQ8zqM7VAEltp0CvY4P9664mgHJoRELIHSwIKoRy1p Wu81m9tho20R1SzirnzFRw9BDQFjPR8IT0tO1fgUxU+wpvF+dlJnFpr2zlLcDxlBo4s4 4hQQ==
MIME-Version: 1.0
X-Received: by 10.112.142.68 with SMTP id ru4mr103229lbb.49.1396011977153; Fri, 28 Mar 2014 06:06:17 -0700 (PDT)
Received: by 10.112.234.229 with HTTP; Fri, 28 Mar 2014 06:06:17 -0700 (PDT)
In-Reply-To: <alpine.LSU.2.00.1403281259440.31260@hermes-1.csi.cam.ac.uk>
References: <0EA28BE8-E872-46BA-85FD-7333A1E13172@icsi.berkeley.edu> <4B70E4D6-6750-4E5A-9058-7F94588DEF4C@vpnc.org> <CAL9jLaaAYPfRNSmoO=G+q2JA4a2RVsV-z-0o3RFY7r+dQN-a_w@mail.gmail.com> <734640E6-6393-4EBF-BE36-5C05026027E5@icsi.berkeley.edu> <alpine.LFD.2.10.1403271535160.4908@bofh.nohats.ca> <DD41060F-0006-4452-876C-6095B4A502AA@icsi.berkeley.edu> <alpine.LFD.2.10.1403271630300.4908@bofh.nohats.ca> <alpine.LSU.2.00.1403281259440.31260@hermes-1.csi.cam.ac.uk>
Date: Fri, 28 Mar 2014 09:06:17 -0400
Message-ID: <CAMm+Lwj+B5T63C6eJuq2z3Ppn2rQNDVc_8LFw8E05A=E_7i82g@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Tony Finch <dot@dotat.at>
Content-Type: multipart/alternative; boundary="001a11c36dfc0020c304f5aa5e5e"
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/asm35lGcw3p5_8qaP-G__Dr9-7w
Cc: dnsop WG <dnsop@ietf.org>, Paul Wouters <paul@nohats.ca>, Nicholas Weaver <nweaver@icsi.berkeley.edu>
Subject: Re: [DNSOP] Whiskey Tango Foxtrot on key lengths...
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Mar 2014 13:06:22 -0000
On Fri, Mar 28, 2014 at 9:01 AM, Tony Finch <dot@dotat.at> wrote: > Paul Wouters <paul@nohats.ca> wrote: > > > On Thu, 27 Mar 2014, Nicholas Weaver wrote: > > > > > For an attacker, the root ZSK is not 1 month validity, since an > attacker > > > who's in a position to take advantage of such a ZSK compromise is > going to > > > be faking all of DNS for the target, and can therefore just as easily > also > > > fake NTP, ensuring that the attacker's key is still valid for most > victims. > > > > Than you have lost forever because we have used a 1024 key in the past. > > You can always NTP attack them to today's 1024 key, and no increase in > > key size in the future will help you. > > I have a rough plan for how to avoid the insecure time replay > vulnerability: > http://www.ietf.org/mail-archive/web/dnsop/current/msg11245.html Why is this needed? Code is only vulnerable if it trusts 1024bit RSA. Code should not trust 1024bit RSA. Therefore ICANN needs to sign the root zone with 2048 before we consider it signed. End of story. -- Website: http://hallambaker.com/
- [DNSOP] Whiskey Tango Foxtrot on key lengths... Nicholas Weaver
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Nicholas Weaver
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Joe Abley
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Paul Hoffman
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Phillip Hallam-Baker
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Nicholas Weaver
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Phillip Hallam-Baker
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Phillip Hallam-Baker
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Rose, Scott
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Stephane Bortzmeyer
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Matthäus Wander
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Christopher Morrow
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Nicholas Weaver
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Christopher Morrow
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Paul Wouters
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Paul Wouters
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Phillip Hallam-Baker
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Joe Abley
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Joe Abley
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Bill Woodcock
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Tony Finch
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Phillip Hallam-Baker
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Colm MacCárthaigh
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Andrew Sullivan
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Tony Finch
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Joe Abley
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Phillip Hallam-Baker
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Thierry Moreau
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Phillip Hallam-Baker
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Matthäus Wander
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Joe Abley
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Colm MacCárthaigh
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Phillip Hallam-Baker
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… S Moonesamy
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Olafur Gudmundsson
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Bill Woodcock
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Nicholas Weaver
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Phillip Hallam-Baker
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Nicholas Weaver
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Jelte Jansen
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Mark Andrews
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Colm MacCárthaigh
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Mark Andrews
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Colm MacCárthaigh
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Olafur Gudmundsson
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Olafur Gudmundsson
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Paul Hoffman
- [DNSOP] CD (Re: Whiskey Tango Foxtrot on key leng… Evan Hunt
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Mark Andrews
- [DNSOP] CD bit (was Re: Whiskey Tango Foxtrot on … Andrew Sullivan
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Olafur Gudmundsson
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Colm MacCárthaigh
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Paul Wouters
- Re: [DNSOP] CD bit (was Re: Whiskey Tango Foxtrot… Mark Andrews
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Nicholas Weaver
- Re: [DNSOP] CD bit (was Re: Whiskey Tango Foxtrot… Andrew Sullivan
- Re: [DNSOP] CD (Re: Whiskey Tango Foxtrot on key … Colm MacCárthaigh
- Re: [DNSOP] CD (Re: Whiskey Tango Foxtrot on key … Nicholas Weaver
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Phillip Hallam-Baker
- [DNSOP] Current DNSOP thread and why 1024 bits Edward Lewis
- Re: [DNSOP] Current DNSOP thread and why 1024 bits Nicholas Weaver
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Stephane Bortzmeyer
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Paul Hoffman
- Re: [DNSOP] Current DNSOP thread and why 1024 bits Paul Hoffman
- [DNSOP] mailing list behavior Re: Current DNSOP t… Suzanne Woolf
- Re: [DNSOP] Current DNSOP thread and why 1024 bits Colm MacCárthaigh
- Re: [DNSOP] Current DNSOP thread and why 1024 bits Paul Wouters
- Re: [DNSOP] Current DNSOP thread and why 1024 bits S Moonesamy
- Re: [DNSOP] Current DNSOP thread and why 1024 bits Paul Hoffman
- Re: [DNSOP] Current DNSOP thread and why 1024 bits Rose, Scott
- Re: [DNSOP] CD (Re: Whiskey Tango Foxtrot on key … Mark Andrews
- Re: [DNSOP] CD (Re: Whiskey Tango Foxtrot on key … Colm MacCárthaigh
- Re: [DNSOP] Current DNSOP thread and why 1024 bits S Moonesamy
- Re: [DNSOP] Current DNSOP thread and why 1024 bits David Conrad
- Re: [DNSOP] Current DNSOP thread and why 1024 bits Paul Wouters
- Re: [DNSOP] Current DNSOP thread and why 1024 bits Ben Laurie
- Re: [DNSOP] Whiskey Tango Foxtrot on key lengths.… Francis Dupont