Re: [DNSOP] New Version Notification for draft-schmidt-brainpool-dnssec-00.txt
Olafur Gudmundsson <ogud@ogud.com> Fri, 21 March 2014 15:45 UTC
Return-Path: <ogud@ogud.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EE7E1A09AA for <dnsop@ietfa.amsl.com>; Fri, 21 Mar 2014 08:45:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.6
X-Spam-Level:
X-Spam-Status: No, score=-1.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WpKTkTwzCuUD for <dnsop@ietfa.amsl.com>; Fri, 21 Mar 2014 08:45:04 -0700 (PDT)
Received: from smtp109.ord1c.emailsrvr.com (smtp109.ord1c.emailsrvr.com [108.166.43.109]) by ietfa.amsl.com (Postfix) with ESMTP id C31CF1A098A for <dnsop@ietf.org>; Fri, 21 Mar 2014 08:45:04 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp6.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id 299F299895; Fri, 21 Mar 2014 11:44:55 -0400 (EDT)
X-Virus-Scanned: OK
Received: by smtp6.relay.ord1c.emailsrvr.com (Authenticated sender: ogud-AT-ogud.com) with ESMTPSA id CE2E9998E4; Fri, 21 Mar 2014 11:44:54 -0400 (EDT)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Olafur Gudmundsson <ogud@ogud.com>
In-Reply-To: <38634A9C401D714A92BB13BBA9CCD34F05516F@mail-essen-01.secunet.de>
Date: Fri, 21 Mar 2014 11:44:54 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <8D85D970-10CE-4156-89C2-229836A910A3@ogud.com>
References: <20140321072940.3738.9013.idtracker@ietfa.amsl.com> <38634A9C401D714A92BB13BBA9CCD34F05516F@mail-essen-01.secunet.de>
To: "\"Schmidt, Jörn-Marc\"" <Joern-Marc.Schmidt@secunet.com>
X-Mailer: Apple Mail (2.1510)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/pe07tpWbXncReb2HMipC-9G8GGY
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Subject: Re: [DNSOP] New Version Notification for draft-schmidt-brainpool-dnssec-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Mar 2014 15:45:06 -0000
On Mar 21, 2014, at 3:39 AM, "Schmidt, Jörn-Marc" <Joern-Marc.Schmidt@secunet.com> wrote: > Dear all, > > I've just submitted the draft below on using ECDSA with Brainpool Curves for DNSSEC. > > The rationale behind this submission is the fact that the German electronic health insurance card (Gesundheitskarte) mandates the use of DNSSEC, while the use of Brainpool curves is recommended by the German Federal Office for Information Security (BSI). Currently, using ECC with DNSSEC is only specified for NIST Curves (RFC 6605). Hence, in order to comply with the recommendations on the one hand and with global specifications on the other hand, we wrote this draft. > > Any feedback/comments/thoughts are very welcome. > Is the performance of these curves any better than P256, P384 and EC-GOST that are currently specified? Unless there is significant performance improvement over the Px curves this is IMHO wasted effort. Is there a reason to believe that the curves you request are significantly stronger than the currently specified curves? Why are you defining 3 curves ? There are only about 230 code points available for algorithms, we do not want "vanity" curves specified so unless you can JUSTIFY each one as being significantly "better" than what is currently specified what is the point this includes both Pxxx curves and ECC-GOST. Defining more algorithms decreases interoperability as code bases need to pick up all algorithms. While you talk about German regulations wanting some curve, that does not mean that they can mandate any domain to use it. Thus the issue of what german regulations use for health care cards is orthogonal to what is used by DNSSEC. If all you want is to publish German health Insurance Card keys in DNS then ask for a "Gesundheit" record to publish the keys, and then the consumption of these records only affects the those that need to process the keys. Sorry for the tone of the message but you need MUCH better justification in your next version for this to be considered, right now this looks like a pure vanity registration request. Olafur > Best, > > Jörn > > > --- > A new version of I-D, draft-schmidt-brainpool-dnssec-00.txt > has been successfully submitted by Joern-Marc Schmidt and posted to the IETF repository. > > Name: draft-schmidt-brainpool-dnssec > Revision: 00 > Title: ECC Brainpool Curves for DNSSEC > Document date: 2014-03-21 > Group: Individual Submission > Pages: 6 > URL: http://www.ietf.org/internet-drafts/draft-schmidt-brainpool-dnssec-00.txt > Status: https://datatracker.ietf.org/doc/draft-schmidt-brainpool-dnssec/ > Htmlized: http://tools.ietf.org/html/draft-schmidt-brainpool-dnssec-00 > > > Abstract: > This document specifies the use of ECDSA with ECC Brainpool curves in > DNS Security (DNSSEC). It comprises curves of three different sizes. > > > > > Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop