Re: [DNSOP] New Version of draft-ietf-dnsop-algorithm-update-00: Algorithm Implementation Requirements and Usage Guidance for DNSSEC
Ondřej Surý <ondrej@isc.org> Tue, 27 March 2018 08:04 UTC
Return-Path: <ondrej@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD9A8124C27 for <dnsop@ietfa.amsl.com>; Tue, 27 Mar 2018 01:04:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HyG2HLn_sqV9 for <dnsop@ietfa.amsl.com>; Tue, 27 Mar 2018 01:04:08 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15EE9127023 for <dnsop@ietf.org>; Tue, 27 Mar 2018 01:04:08 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id B33C83AB045; Tue, 27 Mar 2018 08:04:07 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 7783716006B; Tue, 27 Mar 2018 08:04:07 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 5DADA16006A; Tue, 27 Mar 2018 08:04:07 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id zbJ-toViJYOf; Tue, 27 Mar 2018 08:04:07 +0000 (UTC)
Received: from [10.10.0.193] (40.20.broadband5.iol.cz [88.100.20.40]) by zmx1.isc.org (Postfix) with ESMTPSA id 7221916003A; Tue, 27 Mar 2018 08:04:06 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Ondřej Surý <ondrej@isc.org>
In-Reply-To: <525a5b1f-07a6-1fb1-aada-5a5dc07db110@brokendns.net>
Date: Tue, 27 Mar 2018 10:04:03 +0200
Cc: dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <844B9427-96F7-4E15-8588-AAA1896AD03C@isc.org>
References: <EBE54422-0A97-4B33-BD55-01CACF1F272A@isc.org> <525a5b1f-07a6-1fb1-aada-5a5dc07db110@brokendns.net>
To: Michael Sinatra <michael@brokendns.net>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/sI6arNX1rml39Hg9m0uDicPO_Rk>
Subject: Re: [DNSOP] New Version of draft-ietf-dnsop-algorithm-update-00: Algorithm Implementation Requirements and Usage Guidance for DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2018 08:04:13 -0000
Hi Michael, > On 27 Mar 2018, at 02:30, Michael Sinatra <michael@brokendns.net> wrote: > > > > On 03/22/18 08:08, Ondřej Surý wrote: > >> * Separate operational recommendations for default algorithm to ECDSAP256SHA256 >> * Deprecation of ECC-GOST (that actually happened elsewhere, so we reflect it here) >> >> I also squeezed paragraph about DS algorithm upgrade to operational considerations based on Roy Arends’ presentation. > > Regarding the comments (and general tone of the document) regarding > SHA384 and ECDSAP384SHA384: > > I am a bit uncomfortable with the document's disrecommendation of SHA384 > and ECDSAP384SHA384. The main reason for this is that for crypto > recommendations here in the USG, I often point people to the successor > of the NSA Suite B recommendations, now called the "Commercial National > Security Algorithm Suite" or CNSA. The recommendations here call for > SHA384 and P-384: > > https://www.iad.gov/iad/programs/iad-initiatives/cnsa-suite.cfm > > This document made a bit of a splash by pointing out that ECC is not > really quantum-resistant, which led to lots of "theories" as to why > NSA-IAD was making that claim. But the main utility of the document is > the crypto strength recommendations in the document. > > I am *very* sympathetic to the argument that P-256 and SHA-256 are "good > enough" for DNSSEC, especially since we can expect any such signatures > to have expired by the time 112-bit security is completely obsolete. My > motivation is around encouraging people to use the strongest security > available to them without having to worry about whether some > applications could get away with weaker security or not. > > Given that ECDSAP384SHA384 signatures and key lengths are still > significantly smaller than RSASHA256, the adage of "use the strongest > *practical* security algorithm that's available" would still seem to > point to ECDSAP384SHA384. For this reason, I am not comfortable with > the statement: > > "ECDSAP384SHA384 share the same properties as ECDSAP256SHA256, but > offers only a little advantage over ECDSAP256SHA256 and has not seen Perhaps, we could say: “offers only a little advantage for DNSSEC over …” as that would be more accurate. We are (should be) aiming for most practical secure algorithm and that’s ECDSAP256SHA256 at the moment, and ED25519 in a foreseeable future (when there’s enough deployed base). It’s always search for a balance, and given there’s already huge deployed base for ECDSAP256SHA256, I think that discouraging users to use P384 is a reasonable thing to do. > wide deployment, so the usage of this algorithm is discouraged, > especially for signing.” …but the document authors are open to other suggestions, it’s a WG document, so we will follow WG advice. > I would also advocate changing the Signing > Recommendation to "MAY.” That would be fine with me (also to align with ED448 that share many of the properties of P384). I also expect that no implementation would actually rip-out P384 implementation they already have, and for new implementations the recommendation of SHOULD NOT and MAY is of similar value. Cheers, Ondrej -- Ondřej Surý ondrej@isc.org
- [DNSOP] New Version of draft-ietf-dnsop-algorithm… Ondřej Surý
- Re: [DNSOP] New Version of draft-ietf-dnsop-algor… Paul Wouters
- Re: [DNSOP] New Version of draft-ietf-dnsop-algor… Ondřej Surý
- Re: [DNSOP] New Version of draft-ietf-dnsop-algor… Frederico A C Neves
- Re: [DNSOP] New Version of draft-ietf-dnsop-algor… Viktor Dukhovni
- Re: [DNSOP] New Version of draft-ietf-dnsop-algor… Ondřej Surý
- Re: [DNSOP] New Version of draft-ietf-dnsop-algor… Frederico A C Neves
- Re: [DNSOP] New Version of draft-ietf-dnsop-algor… Paul Wouters
- Re: [DNSOP] New Version of draft-ietf-dnsop-algor… Michael Sinatra
- Re: [DNSOP] New Version of draft-ietf-dnsop-algor… Ondřej Surý
- Re: [DNSOP] New Version of draft-ietf-dnsop-algor… Paul Hoffman
- Re: [DNSOP] New Version of draft-ietf-dnsop-algor… Michael Sinatra
- Re: [DNSOP] New Version of draft-ietf-dnsop-algor… Paul Hoffman
- Re: [DNSOP] New Version of draft-ietf-dnsop-algor… Michael Sinatra