IETF Logo Mail Archive

[DNSOP] Fwd: Re: [saag] code points for brainpool curves for DNSSEC

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 10 December 2015 09:42 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E6CD1A8865 for <dnsop@ietfa.amsl.com>; Thu, 10 Dec 2015 01:42:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id exkbfGeprBsu for <dnsop@ietfa.amsl.com>; Thu, 10 Dec 2015 01:42:54 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F4701A885B for <dnsop@ietf.org>; Thu, 10 Dec 2015 01:42:54 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 1C3BCBE64 for <dnsop@ietf.org>; Thu, 10 Dec 2015 09:42:53 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6IH-XMgmu625 for <dnsop@ietf.org>; Thu, 10 Dec 2015 09:42:51 +0000 (GMT)
Received: from [10.0.10.19] (unknown [212.76.224.242]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id B3A19BE54 for <dnsop@ietf.org>; Thu, 10 Dec 2015 09:42:50 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1449740571; bh=zuXSE0kHUkBTqymbUOnzluff68mCHFXA0mHVyIkoI2Y=; h=Subject:References:To:From:Date:In-Reply-To:From; b=fyEsA+m4f1UhbKP14N/roPmI0oRmmXfCVDAd4lblk5pEpHAyQFEq4l9I3LymxzR/F vjoBtqfEpoM1Rq4yeFZrFykVU8JuahWwcr9WfY6GYVdCsphFfSs4ZY53l+fDOwZXhc WuTvSlqxYRF//Spwbk7yHCIWPypXkAc3dU11/6jA=
References: <56694845.4000102@cs.tcd.ie>
To: dnsop@ietf.org
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
X-Forwarded-Message-Id: <56694845.4000102@cs.tcd.ie>
Message-ID: <5669491A.10301@cs.tcd.ie>
Date: Thu, 10 Dec 2015 09:42:50 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <56694845.4000102@cs.tcd.ie>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="PxwpEHc9GkkdjnwjfWQaelkgUGJvbKmNt"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/jfGjceC2UEee4QoQpoQMToPU2nE>
Subject: [DNSOP] Fwd: Re: [saag] code points for brainpool curves for DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2015 09:42:56 -0000

FYI.

Please continue to follow up on the saag list for now so the
discussion (if more is needed) is in one place. (And thanks
for doing that so far.)

S.


-------- Forwarded Message --------
Subject: Re: [saag] [DNSOP] code points for brainpool curves for DNSSEC
Date: Thu, 10 Dec 2015 09:39:17 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
To: saag@ietf.org


Thanks all, that's sufficient feedback for me to propose to the
IESG that we return a "potentially disrupts, so please do not
publish now" 5742 response so I have proposed that to the IESG.
Additional discussion of reasons to not do this allocation now
may therefore be redundant.

Discussion of what to do in future is still welcome, and if
that doesn't happen I at least will raise the issue on the list
for the in-formation curdle WG. [1]

The text I've proposed is at [2], feel free to suggest edits,
but that can be done offlist.

Cheers,
S.

[1] https://datatracker.ietf.org/doc/charter-ietf-curdle/
[2]
https://datatracker.ietf.org/doc/conflict-review-schmidt-brainpool-dnssec/

On 10/12/15 09:15, Patrik Fältström wrote:
> I have nothing to add to what Ólafur wrote below. I agree with his statement.
> 
>    Patrik
> 
> On 10 Dec 2015, at 1:33, Ólafur Guðmundsson wrote:
> 
>> Stephen,
>>
>> Sorry for being so blunt below.
>>
>> The document totally content free as to why this makes any sense in an operational context.
>> DNSSEC algorithms should not be given out lightly as there is a significant COST to deploy support for each additional algorithm.
>>
>> While I strongly support having better ECC algorithm that the currently specified curves, adding a new ones SHOULD take place via a performance oriented process.
>> Thus I strongly advocate that this publication be held up until we can compare this curve with other curves being proposed.
>>
>> Background I'm currently fighting an multifaceted battle to have various entities adding support for ECDSAP256, specified over 3 years ago.
>>
>> Adding and deploying a new DNSKEY algorithm does not just require changes to
>> -- DNS servers, libraries and resolvers.
>>
>> That is just the top of the iceberg,  but also to
>> -  DNS provisioning systems, DNSSEC signing systems, DNS testing tools, - user interfaces for registrars, hosting providers, third party DNS operators, CDN's,  etc.
>> - TLD and ccTLD policy documents, EPP implementations, plus in some cases security evaluations,
>> - not to mention firewalls, network monitoring tools ....
>> and number of other things I had no idea existed and majority of which is not maintained anymore.
>>
>> There are only so many times that one can get everyone's attention to upgrade DNS stuff, thus requiring the change process to be run should not be taken lightly.
>> If on the other hand if the editors are only interested in vanity algorithm assignment without any deployment then ...........
>>
>> Olafur
>>
>>
>> On Wed, Dec 9, 2015 at 4:00 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie>
>> wrote:
>>
>>>
>>>
>>>
>>> -------- Forwarded Message --------
>>> Subject: code points for brainpool curves for DNSSEC
>>> Date: Wed, 9 Dec 2015 18:00:18 +0000
>>> From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
>>> To: saag@ietf.org
>>>
>>>
>>> Hiya,
>>>
>>> The brainpool folks have written an I-D [1] that they are pushing
>>> through the rfc editor's independent stream. [2]
>>>
>>> That I-D wants to register code points for using their curves for
>>> DNSSEC.
>>>
>>> For documents that come through the independent stream, the IESG
>>> does an RFC 5742 [3] conflict review. The purpose of that review
>>> is to check that the RFC doesn't conflict with ongoing work in
>>> the IETF.
>>>
>>> If you have thoughts on this, please let me know before Dec 17th.
>>> I'll forward this to the dnsop, cfrg and curdle mailing lists
>>> to check there too. Apologies if you get >1 copy of this. Please
>>> try follow up on the saag list if you can.
>>>
>>> Thanks,
>>> Stephen.
>>>
>>>
>>> [1] https://tools.ietf.org/html/draft-schmidt-brainpool-dnssec
>>> [2] https://www.rfc-editor.org/pubprocess/
>>> [3] https://tools.ietf.org/html/rfc5742
>>>
>>>
>>>
>>> _______________________________________________
>>> DNSOP mailing list
>>> DNSOP@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dnsop
>>>
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email