Re: [DNSOP] New Version Notification for draft-muks-dnsop-dnssec-sha3-01

Paul Wouters <paul@nohats.ca> Mon, 08 May 2017 16:46 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D17D9129508 for <dnsop@ietfa.amsl.com>; Mon, 8 May 2017 09:46:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.699
X-Spam-Level:
X-Spam-Status: No, score=0.699 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t7fBjqgYebgy for <dnsop@ietfa.amsl.com>; Mon, 8 May 2017 09:46:29 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00227128D44 for <dnsop@ietf.org>; Mon, 8 May 2017 09:46:28 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3wM7gQ0HW7zp6; Mon, 8 May 2017 18:46:26 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1494261986; bh=eQmlaIwkYdOU0HJ99cCdHySmrFOYfQCeDr7wpfqxD7k=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=Mbkh2K+GsIz3ZPEaMd2odtV4GoxIO8Hoi7LHray78vT6kx6lDq2QDqUDwBv3p/SYU yxUyNNmdjTx30Hgx3TlY/ESCoyIU4kfRZimVYYmiJEZ2LMPmiCI4CsE6RcvXqsmwMh XGt5kBXQ3OzAliiqeOyf82OnyHCBSy1tCw7q78S0=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id Pr4gA_xSrw7v; Mon, 8 May 2017 18:46:23 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 8 May 2017 18:46:23 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 486926EF88A; Mon, 8 May 2017 12:46:21 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 486926EF88A
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 342F540D3587; Mon, 8 May 2017 12:46:21 -0400 (EDT)
Date: Mon, 08 May 2017 12:46:21 -0400
From: Paul Wouters <paul@nohats.ca>
To: Olafur Gudmundsson <ogud@ogud.com>
cc: Mukund Sivaraman <muks@isc.org>, IETF DNSOP WG <dnsop@ietf.org>
In-Reply-To: <36190869-0215-4BA9-AF9E-297CA4035849@ogud.com>
Message-ID: <alpine.LRH.2.20.999.1705081236110.14424@bofh.nohats.ca>
References: <20170410093847.GA21654@jurassic> <CA+nkc8AebVmM46FQ3hzcz9OkNEMvBu6EcSHF-L=hp9qobS8UHQ@mail.gmail.com> <20170410150917.GA22210@jurassic> <36190869-0215-4BA9-AF9E-297CA4035849@ogud.com>
User-Agent: Alpine 2.20.999 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/zc4tNVhzmprS-Wz1t5Op22pUpVg>
Subject: Re: [DNSOP] New Version Notification for draft-muks-dnsop-dnssec-sha3-01
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 May 2017 16:46:31 -0000

On Fri, 5 May 2017, Olafur Gudmundsson wrote:

> I strongly advocate against the adoption of this document in current from. 
> It violates basic interoperability guidelines by defining way to many 
> algorithms with no justification why any of them are better or worse than others. 
> There is no useful guidance on why these new algorithms are better even among themselves. 
> 
> One of the biggest hurdles to deployment is not in the 5-20 DNS software packages in wide use; but in all the 1000’s of Provision
> systems around the world,
> and the crypto libraries found on various Enterprise systems that have life time of 4-8 years with security-only updates. 
> Lets learn the lessons documented in https://tools.ietf.org/html/draft-york-dnsop-deploying-dnssec-crypto-algs-04
> 
> I’m not convinced that SHA3 vs SHA2 matter at all given the constraint small data with strict constraints on order and contents is
> being signed. 

I agree. Especially in the light of how hard it is to remove obsolete
algorithms. We should have very good reasons to add new ones.

> The RSA KEY size allowed for these new supposed stronger Digest algorithms is still left at 1024 or 1280 bytes, even though number
> of other parts of the the Internet community will not consider signatures by keys with less than 2048 bits. 

Not only that, but the reason specified is to bump RSA from
RSASSA-PKCS1-v1_5 to RSASSA-PSS. As far as I know, the security
issues of RSASSA-PKCS1-v1_5 are that when using it to _encrypt_
bogus data, it can be used as an oracle to obtain private key
bits. That means there is no on-the-wire security issue with
RSASSA-PKCS1-v1_5 for Digital Signatures. And if HSMs are used
to protect access to private keys, those keys should be marked
as "signing only keys" to avoid exposing the private key via this
attack if the machine with the HSM is compromised.

Paul