IETF Logo Mail Archive

Re: [DNSOP] Key sizes was Re: I-D Action:draft-ietf-dnsop-rfc4641bis-01.txt

Paul Hoffman <paul.hoffman@vpnc.org> Sat, 25 April 2009 02:44 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B392C3A68C2 for <dnsop@core3.amsl.com>; Fri, 24 Apr 2009 19:44:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.152
X-Spam-Level:
X-Spam-Status: No, score=-2.152 tagged_above=-999 required=5 tests=[AWL=0.132, BAYES_00=-2.599, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8t7+sKEl4byh for <dnsop@core3.amsl.com>; Fri, 24 Apr 2009 19:44:43 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id 9AC183A67AC for <dnsop@ietf.org>; Fri, 24 Apr 2009 19:44:42 -0700 (PDT)
Received: from [10.20.30.158] (dsl-63-249-108-169.static.cruzio.com [63.249.108.169]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n3P2jrC8014774 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 24 Apr 2009 19:45:55 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p0624087fc61828ba995c@[10.20.30.158]>
In-Reply-To: <F37ECB0D-D4B4-4AB5-A45B-134235961EBC@hopcount.ca>
References: <49EDA81E.2000600@ca.afilias.info> <p06240807c613a658a056@[10.20.30.163]> <49EE276C.5070706@ca.afilias.info> <p06240814c613f23a6960@[10.20.30.163]> <49EEF042.3070109@ca.afilias.info> <alpine.LFD.1.10.0904221147060.7510@newtla.xelerance.com> <49EFA9C3.6090903@ca.afilias.info> <alpine.LFD.1.10.0904231142590.7788@newtla.xelerance.com> <alpine.LFD.1.10.0904241052270.26808@newtla.xelerance.com> <p06240813c61798e7e391@[10.20.30.158]> <20090424174722.GA30229@isc.org> <alpine.LFD.1.10.0904241514300.28588@newtla.xelerance.com> <14F6B497-51D8-4719-B3C2-814A7D20940D@hopcount.ca> <p0624087bc618150afc11@[10.20.30.158]> <90A997B2-4700-479E-9E49-CB84E2FCCBCA@hopcount.ca> <p0624087ec61821fc04bf@[10.20.30.158]> <F37ECB0D-D4B4-4AB5-A45B-134235961EBC@hopcount.ca>
Date: Fri, 24 Apr 2009 19:45:52 -0700
To: Joe Abley <jabley@hopcount.ca>
From: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="us-ascii"
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Key sizes was Re: I-D Action:draft-ietf-dnsop-rfc4641bis-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Apr 2009 02:44:43 -0000

At 10:25 PM -0400 4/24/09, Joe Abley wrote:
>My point is that given the choice between "doing what is currently considered safe" and "exceeding what is currently considered safe by a factor of four with no additional cost to you" I think many otherwise uninformed zone administrators are conditioned to choose the latter.

...which a good reason why we give actual numbers in this draft.

I don't see where you are going with this. Do you want us to give hard numbers and not justify them so admins won't pick anything else? Or?

>>>On the flip side, how can the "real cost" for validator-operators that you assert be quantified?
>>
>>Exactly.
>
>So your point is that you don't know how to quantify it?

Correct. How can you know how many other zone admins waste cycles on validator boxes? How can you know how many cycles are being used on those boxes for other things?

>>How will you know? Why not stop when enough is enough?
>
>Because there's no incentive for a zone administrator to choose anything other than the largest key her tools let her create. So what is "enough"?

An attack that would cost hundreds of millions of dollars and take longer than your key will be valid. This was covered earlier in this thread.

--Paul Hoffman, Director
--VPN Consortium

v2.23.0 | Report a Bug | By Email