Re: [DNSOP] Fwd: code points for brainpool curves for DNSSEC
Ólafur Guðmundsson <olafur@cloudflare.com> Thu, 10 December 2015 00:33 UTC
Return-Path: <olafur@cloudflare.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C8001A21C7 for <dnsop@ietfa.amsl.com>; Wed, 9 Dec 2015 16:33:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.078
X-Spam-Level:
X-Spam-Status: No, score=-1.078 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fz4a3hcJvNXW for <dnsop@ietfa.amsl.com>; Wed, 9 Dec 2015 16:33:09 -0800 (PST)
Received: from mail-qg0-x231.google.com (mail-qg0-x231.google.com [IPv6:2607:f8b0:400d:c04::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93B0A1A21C3 for <dnsop@ietf.org>; Wed, 9 Dec 2015 16:33:09 -0800 (PST)
Received: by qgea14 with SMTP id a14so110752783qge.0 for <dnsop@ietf.org>; Wed, 09 Dec 2015 16:33:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=p9pbXC4qp8/++ze0GtL8BwIcmLTbdVkx7CBxrfAqG0c=; b=YQm2rvmQoM9aBbeSyXd+90+SCof+KmWU0hpFU2dmvldrmkKHQZQL4oDbmD0DZAzwiv AwenhSzY6rgj1czyN0Jo4F8tLBeSbJPHjlRyLKKQOfokZUka9F+uEsNQUfMWZ3CFnqHw a3EF+/yu+wi7HI5QqeAq4O77CnOOAtsaBp51s=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=p9pbXC4qp8/++ze0GtL8BwIcmLTbdVkx7CBxrfAqG0c=; b=CXvQJCirZfEWbKCwJKECZdts5TSElHUnXGRajDfn/iIb6tbf8poAKGBhwjtbzsdcLU eRGm8u02ba0EBSzmhjxC38eFIP7rvKs10SfgJ62Zxwyhgo7WB3B/GyrBcphWy1NJPe1Y gu7uwPPshf5Bo1hX5RjNIz0rj0tLATMIZs/ie9X2VbUX0fXm+4O0MGRwNYQpsSIVGz5p +0J1DVVAq1LYjknHZDqqRI1A7eefsX+GeV1VZc6V9t1jffMchaGX6MlIjeXd5bYjdRzk WsGGdXLepoQ3/wA1F8NCJ4T/rAuQ7pg32p+19ezBeI09EjqYn+Z49FfqLw5nCwk573aO gsjg==
X-Gm-Message-State: ALoCoQlIBJLf6A0iScamVc1LsF3/RBi46Y0IFV9dglwXelM2/1atcpBuwnp8yC6YyApxm+R2OTHuwHtTW7/frQYf6a45XVmbMheP6Aq+Zc+UsCh4PodbO/M=
MIME-Version: 1.0
X-Received: by 10.129.110.132 with SMTP id j126mr2836191ywc.172.1449707588794; Wed, 09 Dec 2015 16:33:08 -0800 (PST)
Received: by 10.37.88.8 with HTTP; Wed, 9 Dec 2015 16:33:08 -0800 (PST)
In-Reply-To: <56686C47.3070305@cs.tcd.ie>
References: <56686C32.6090400@cs.tcd.ie> <56686C47.3070305@cs.tcd.ie>
Date: Wed, 09 Dec 2015 22:33:08 -0200
Message-ID: <CAN6NTqyy5756kCGXg_vJeUL6kXLgRFJdSCav67QNpOAXdSbZaw@mail.gmail.com>
From: Ólafur Guðmundsson <olafur@cloudflare.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="001a11490c62dbe5dd05268059f6"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/wQ5v7yciqrCgRkABA512W0mR_Xw>
Cc: dnsop <dnsop@ietf.org>, saag@ietf.org
Subject: Re: [DNSOP] Fwd: code points for brainpool curves for DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2015 00:33:12 -0000
Stephen, Sorry for being so blunt below. The document totally content free as to why this makes any sense in an operational context. DNSSEC algorithms should not be given out lightly as there is a significant COST to deploy support for each additional algorithm. While I strongly support having better ECC algorithm that the currently specified curves, adding a new ones SHOULD take place via a performance oriented process. Thus I strongly advocate that this publication be held up until we can compare this curve with other curves being proposed. Background I'm currently fighting an multifaceted battle to have various entities adding support for ECDSAP256, specified over 3 years ago. Adding and deploying a new DNSKEY algorithm does not just require changes to -- DNS servers, libraries and resolvers. That is just the top of the iceberg, but also to - DNS provisioning systems, DNSSEC signing systems, DNS testing tools, - user interfaces for registrars, hosting providers, third party DNS operators, CDN's, etc. - TLD and ccTLD policy documents, EPP implementations, plus in some cases security evaluations, - not to mention firewalls, network monitoring tools .... and number of other things I had no idea existed and majority of which is not maintained anymore. There are only so many times that one can get everyone's attention to upgrade DNS stuff, thus requiring the change process to be run should not be taken lightly. If on the other hand if the editors are only interested in vanity algorithm assignment without any deployment then ........... Olafur On Wed, Dec 9, 2015 at 4:00 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > > > -------- Forwarded Message -------- > Subject: code points for brainpool curves for DNSSEC > Date: Wed, 9 Dec 2015 18:00:18 +0000 > From: Stephen Farrell <stephen.farrell@cs.tcd.ie> > To: saag@ietf.org > > > Hiya, > > The brainpool folks have written an I-D [1] that they are pushing > through the rfc editor's independent stream. [2] > > That I-D wants to register code points for using their curves for > DNSSEC. > > For documents that come through the independent stream, the IESG > does an RFC 5742 [3] conflict review. The purpose of that review > is to check that the RFC doesn't conflict with ongoing work in > the IETF. > > If you have thoughts on this, please let me know before Dec 17th. > I'll forward this to the dnsop, cfrg and curdle mailing lists > to check there too. Apologies if you get >1 copy of this. Please > try follow up on the saag list if you can. > > Thanks, > Stephen. > > > [1] https://tools.ietf.org/html/draft-schmidt-brainpool-dnssec > [2] https://www.rfc-editor.org/pubprocess/ > [3] https://tools.ietf.org/html/rfc5742 > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] Fwd: code points for brainpool curves for… Stephen Farrell
- Re: [DNSOP] [saag] code points for brainpool curv… Phillip Hallam-Baker
- Re: [DNSOP] Fwd: code points for brainpool curves… Ólafur Guðmundsson
- Re: [DNSOP] code points for brainpool curves for … Patrik Fältström
- [DNSOP] Fwd: Re: [saag] code points for brainpool… Stephen Farrell
- Re: [DNSOP] Fwd: Re: [saag] code points for brain… Edward Lewis
- Re: [DNSOP] Fwd: Re: [saag] code points for brain… Edward Lewis