IETF Logo Mail Archive

Re: [DNSOP] New Version of draft-ietf-dnsop-algorithm-update-00: Algorithm Implementation Requirements and Usage Guidance for DNSSEC

Michael Sinatra <michael@brokendns.net> Tue, 27 March 2018 00:11 UTC

Return-Path: <michael@brokendns.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97D4B127871 for <dnsop@ietfa.amsl.com>; Mon, 26 Mar 2018 17:11:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dyz8-GaRUu40 for <dnsop@ietfa.amsl.com>; Mon, 26 Mar 2018 17:11:21 -0700 (PDT)
Received: from burnttofu.net (burnttofu.net [IPv6:2607:fc50:1:9d00::9977]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACDF4126CD6 for <dnsop@ietf.org>; Mon, 26 Mar 2018 17:11:21 -0700 (PDT)
Received: from elwha.brokendns.net (elwha.brokendns.net [IPv6:2607:f2f8:a544:0:0:0:0:2]) by burnttofu.net (8.15.2/8.15.2) with ESMTPS id w2R0BHwT067789 (version=TLSv1.2 cipher=DHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Mon, 26 Mar 2018 20:11:19 -0400 (EDT) (envelope-from michael@brokendns.net)
Received: from nofx.lbl.gov (nofx.lbl.gov [IPv6:2620:83:8000:107::f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elwha.brokendns.net (5.65c/IDA-1.4.4/5.63) with ESMTPSA id BC4AC4097C; Mon, 26 Mar 2018 17:11:16 -0700 (PDT)
To: Ondřej Surý <ondrej@isc.org>, dnsop@ietf.org
References: <EBE54422-0A97-4B33-BD55-01CACF1F272A@isc.org>
From: Michael Sinatra <michael@brokendns.net>
Message-ID: <525a5b1f-07a6-1fb1-aada-5a5dc07db110@brokendns.net>
Date: Mon, 26 Mar 2018 17:30:20 -0700
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <EBE54422-0A97-4B33-BD55-01CACF1F272A@isc.org>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Greylist: Default is to whitelist mail, not delayed by milter-greylist-4.6.2 (burnttofu.net [IPv6:2607:fc50:1:9d00:0:0:0:9977]); Mon, 26 Mar 2018 20:11:19 -0400 (EDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/gMBCXPVgfXrBUPXhddcB6fZxeSY>
Subject: Re: [DNSOP] New Version of draft-ietf-dnsop-algorithm-update-00: Algorithm Implementation Requirements and Usage Guidance for DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2018 00:11:24 -0000


On 03/22/18 08:08, Ondřej Surý wrote:

> * Separate operational recommendations for default algorithm to ECDSAP256SHA256
> * Deprecation of ECC-GOST (that actually happened elsewhere, so we reflect it here)
> 
> I also squeezed paragraph about DS algorithm upgrade to operational considerations based on Roy Arends’ presentation.

Regarding the comments (and general tone of the document) regarding
SHA384 and ECDSAP384SHA384:

I am a bit uncomfortable with the document's disrecommendation of SHA384
and ECDSAP384SHA384.  The main reason for this is that for crypto
recommendations here in the USG, I often point people to the successor
of the NSA Suite B recommendations, now called the "Commercial National
Security Algorithm Suite" or CNSA.  The recommendations here call for
SHA384 and P-384:

https://www.iad.gov/iad/programs/iad-initiatives/cnsa-suite.cfm

This document made a bit of a splash by pointing out that ECC is not
really quantum-resistant, which led to lots of "theories" as to why
NSA-IAD was making that claim.  But the main utility of the document is
the crypto strength recommendations in the document.

I am *very* sympathetic to the argument that P-256 and SHA-256 are "good
enough" for DNSSEC, especially since we can expect any such signatures
to have expired by the time 112-bit security is completely obsolete.  My
motivation is around encouraging people to use the strongest security
available to them without having to worry about whether some
applications could get away with weaker security or not.

Given that ECDSAP384SHA384 signatures and key lengths are still
significantly smaller than RSASHA256, the adage of "use the strongest
*practical* security algorithm that's available" would still seem to
point to ECDSAP384SHA384.  For this reason, I am not comfortable with
the statement:

"ECDSAP384SHA384 share the same properties as ECDSAP256SHA256, but
offers only a little advantage over ECDSAP256SHA256 and has not seen
wide deployment, so the usage of this algorithm is discouraged,
especially for signing."  I would also advocate changing the Signing
Recommendation to "MAY."

michael

v2.23.0 | Report a Bug | By Email