Re: [DNSOP] Whiskey Tango Foxtrot on key lengths...

Phillip Hallam-Baker <hallam@gmail.com> Wed, 02 April 2014 11:38 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AB371A01E7 for <dnsop@ietfa.amsl.com>; Wed, 2 Apr 2014 04:38:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b8LQFCQijzx9 for <dnsop@ietfa.amsl.com>; Wed, 2 Apr 2014 04:38:28 -0700 (PDT)
Received: from mail-la0-x22e.google.com (mail-la0-x22e.google.com [IPv6:2a00:1450:4010:c03::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 93DF61A01C7 for <dnsop@ietf.org>; Wed, 2 Apr 2014 04:38:27 -0700 (PDT)
Received: by mail-la0-f46.google.com with SMTP id hr17so44955lab.19 for <dnsop@ietf.org>; Wed, 02 Apr 2014 04:38:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=+T+yPPemNxV9pVgMCi10GMQ5rCCNXDTEiukBMj5ZRlc=; b=hTa2kU48x5gnrhBm4TYeW3CxuQQv0AEANd2oRDxZMfK67l5q6vstQpWjBdTp2TEcSP fTnLzPDrB1Xc7rtPK892KHk3Z0/AuXv9bk0bmWS+Qngqe8wDVpTmx1etZsT5qEFqp5iz KTSXVpKRZZhMA1B22XX/4YyGCP2kUr7wgzNbL5ZyVpgMtxxaJklGLvTWBOyRWz1CiZcN hNQBTPxqui3P5O0mfcBBxPMVTeNajRoNW7w4rcp7L/bQsvTiwKCmgSkaXMm/lZOhqWyD M9gqtgkMwYVywS6bmUOsR0BYWgR4QO+jXc1I7KYnTkNFSRM5h9fsh0q6oHF+QjIy4QCI 9Fgw==
MIME-Version: 1.0
X-Received: by 10.152.20.1 with SMTP id j1mr50177lae.83.1396438702829; Wed, 02 Apr 2014 04:38:22 -0700 (PDT)
Received: by 10.112.234.229 with HTTP; Wed, 2 Apr 2014 04:38:22 -0700 (PDT)
In-Reply-To: <2665E768-F3C0-4061-B7F0-B196294C8266@vpnc.org>
References: <0EA28BE8-E872-46BA-85FD-7333A1E13172@icsi.berkeley.edu> <53345C77.8040603@uni-due.de> <B7893984-2FAD-472D-9A4E-766A5C212132@pch.net> <102C13BE-E45E-437A-A592-FA373FF5C8F0@ogud.com> <474B0834-C16B-4843-AA0A-FC2A2085FEFB@icsi.berkeley.edu> <CFA0ED6F-6800-4638-90B0-CD414301C501@ogud.com> <2665E768-F3C0-4061-B7F0-B196294C8266@vpnc.org>
Date: Wed, 2 Apr 2014 07:38:22 -0400
Message-ID: <CAMm+LwgeBWA1aBBZiSLtjtDbPP5R=cqP07ZDrbRQSOsSo76kOw@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: multipart/alternative; boundary=089e013d1d4cd5357004f60db809
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/fcBqT7T55oUuOThhAkgF4wg6nPQ
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] Whiskey Tango Foxtrot on key lengths...
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2014 11:38:32 -0000

On Tue, Apr 1, 2014 at 10:48 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:

> On Apr 1, 2014, at 7:37 PM, Olafur Gudmundsson <ogud@ogud.com> wrote:
>
> > Why not go to a good ECC instead ? (not sure which one, but not P256 or
> P384)
>
> Why not P256 or P384? They are the most-studied curves. Some of the newer
> curves do have advantages, but they are also newer.
>

Same answer as always: A patent troll with the most worthless claim ever is
still going to cost $4 million to get a declarative judgement against.

RIM is on the verge of bankruptcy and it is very likely the patents will be
acquired by a troll.

And the new tactic is to go after the customers, not the technology
providers. So without the declarative judgement we are swapping a
technology we know we have no problem with for one with an expensive
liability. So we definitely need a declarative judgement.


IF the size of the signatures vs the packet size was the issue we could go
to DSA. It has some implementation issues but I'll take 2048 bit DSA over
1024 bit RSA.

Alternatively, we can forget the ICANN root as being the primary validation
path and have people publish a 2048 bit cert in a WebPKI validated chain in
their zone. We already have the records for that.

-- 
Website: http://hallambaker.com/