Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
Phillip Hallam-Baker <hallam@gmail.com> Wed, 24 February 2010 17:42 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 088B128C23E for <ietf@core3.amsl.com>; Wed, 24 Feb 2010 09:42:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.407
X-Spam-Level:
X-Spam-Status: No, score=-2.407 tagged_above=-999 required=5 tests=[AWL=0.192, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MqY6YRrR8o8x for <ietf@core3.amsl.com>; Wed, 24 Feb 2010 09:42:06 -0800 (PST)
Received: from mail-iw0-f191.google.com (mail-iw0-f191.google.com [209.85.223.191]) by core3.amsl.com (Postfix) with ESMTP id 9E86728C1CA for <ietf@ietf.org>; Wed, 24 Feb 2010 09:42:06 -0800 (PST)
Received: by iwn29 with SMTP id 29so3537658iwn.31 for <ietf@ietf.org>; Wed, 24 Feb 2010 09:44:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=xDV8C1fNlcaaiVvBffYxYfnjuTml7K4Q0eJ1glkEeaw=; b=ldYjILJuhPquWjX3afxZ1RTn+d5pqcZe/4nSYH07nIFQdv9JsB6vbAvUPuxnUMptqG KbKVCiloXGztpIoQW4mLXfwAH1No8Yg5Jh1zZB6nH4bqsujzL0W1aZZaFOmRn6SDlYsi jsGJgbmVfouTJwVS+qEep/MIoU9UVXwRPlZec=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=P+LcWs91BvNI7hshtMlS52lKQq59Pe3EHQzSybJw9wneWHo8BYO8EvoVNfM4iZ0plB yYg9YRTfoeSJnjWwL5PFtId7m7SKUXRtBhuVCShvWaN0EwhhU0ukm9sRfhBEB95Qk4NW pivTyXpLyqaiDohe2NpAggmkvWwuJ1HI4VlOQ=
MIME-Version: 1.0
Received: by 10.231.148.83 with SMTP id o19mr141385ibv.39.1267033450274; Wed, 24 Feb 2010 09:44:10 -0800 (PST)
In-Reply-To: <20100224165011.GF5166@thunk.org>
References: <874c02a21002231826y613b9f97ya83740ba240f7bf9@mail.gmail.com> <ABE739C5ADAC9A41ACCC72DF366B719D02C29D87@GLKMS2100.GREENLNK.NET> <sdzl2yvgru.fsf@wjh.hardakers.net> <874c02a21002240835u7cf4bf60y510cbbc870727852@mail.gmail.com> <20100224165011.GF5166@thunk.org>
Date: Wed, 24 Feb 2010 12:44:10 -0500
Message-ID: <a123a5d61002240944l3944a8acy804a1d819bf2cc3d@mail.gmail.com>
Subject: Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
From: Phillip Hallam-Baker <hallam@gmail.com>
To: tytso@mit.edu
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Wed, 24 Feb 2010 09:43:28 -0800
Cc: "Dearlove, Christopher (UK)" <Chris.Dearlove@baesystems.com>, ietf@ietf.org, Wes Hardaker <wjhns1@hardakers.net>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2010 17:42:08 -0000
The problem here is not that you might infringe the patent, the problem is that if a patent suit is brought against you, it will cost a minimum of about $5 million to defend. Just to get to the point of having an opinion on the matter you would have to engage a competent expert witness who was willing to work on patent stuff rather than building stuff. Then they have to do maybe a months work on research and explain the results to a group of lawyers. You are going to have five or more people and rack up several thousand hours at lawyer rates. Those costs buy a lot of crypto accelerator boards. I kept trying to explain this situation to the various people who tried to sell their 'efficient CRL' hacks. Even if your system is the greatest ever and you give it to me for free, it will cost more to work out if it is legally safe than it costs to solve the problem with raw CPU power. If the 512 byte limit really is a problem, then the logical answer would be to use DSA-SHA256 since the signatures generated in DSA are not a function of the key size. DSA also allows for offline calculation of the signature data which would address performance issues for companies like Akamai. There are also reasons to beware of DSA. Steve Bellovin pointed out that if the random number generator is bad the private key can leak out. But RSA is not without similar issues, companies that can't generate a good random seed for DSA will probably not create secure keypairs for RSA either. On Wed, Feb 24, 2010 at 11:50 AM, <tytso@mit.edu> wrote: > I'm not a lawyer, and neither is Bruce Schneier who is quoted in the > article below, but I suspect he's studied the ECC patent situation > more than I have (and I looked it quite a bit back when I was chairing > ipsec). > > http://en.wikipedia.org/wiki/ECC_patents > > If it were up to me, I'm not sure I'd want to bet the DNS > infrastructure on whether or not patent lawyers with shark-skin > briefcases want to make a mint by instigating a lawsuit. As we've > seen with the SCO lawsuit, even completely groundless legal disputes > can take years and years, and the only winner is the lawyers. And > we've seen how much public key deployment was held back because of the > RSA patents; and most people who have lived through those dark times > really don't want to revisit them again. > > As I told the Certicom folks over a decade ago, the best way they > could make their (hardware implementation) patents more valuable is by > explicitly making a non-assert pledge regarding software > implementations of ECC. That would have cleared away a lot of the > hesitation around using ECC, since regardless of whether the claims of > ECC proponents that "no really, there's no problems here!" are true or > not, it would have calmed the fears who've looked at the situation and > who have perceived real risks. > > Of course, the Certicom folks didn't listen to me back then, and I > doubt any of them would listen to me now.... > > - Ted > _______________________________________________ > Ietf mailing list > Ietf@ietf.org > https://www.ietf.org/mailman/listinfo/ietf > -- -- New Website: http://hallambaker.com/ View Quantum of Stupid podcasts, Tuesday and Thursday each week, http://quantumofstupid.com/
- OpenDNS today announced it has adopted DNSCurve t… Joe Baptista
- RE: OpenDNS today announced it has adopted DNSCur… Dearlove, Christopher (UK)
- Re: OpenDNS today announced it has adopted DNSCur… Joe Baptista
- Re: OpenDNS today announced it has adopted DNSCur… tytso
- Re: OpenDNS today announced it has adopted DNSCur… Dave CROCKER
- Re: OpenDNS today announced it has adopted DNSCur… Martin Rex
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Wes Hardaker
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Tony Finch
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… Paul Hoffman
- Re: OpenDNS today announced it has adopted DNSCur… Paul Hoffman
- Re: OpenDNS today announced it has adopted DNSCur… Steven M. Bellovin
- DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today a… Shane Kerr
- Re: OpenDNS today announced it has adopted DNSCur… Tony Finch
- Re: OpenDNS today announced it has adopted DNSCur… David Conrad
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Hoffman
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Marc Petit-Huguenin
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Hoffman
- Re: OpenDNS today announced it has adopted DNSCur… Andrew Sullivan
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Mark Andrews
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Nikos Mavrogiannopoulos
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: OpenDNS today announced it has adopted DNSCur… Joe Baptista
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Nikos Mavrogiannopoulos
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Basil Dolmatov
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: OpenDNS today announced it has adopted DNSCur… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! Florian Weimer
- Re: OpenDNS today announced it has adopted DNSCur… Martin Rex
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… David Conrad
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… David Conrad
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Joe Abley
- RE: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Hollenbeck, Scott
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Shumon Huque
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! Florian Weimer
- Re: DNSCurve vs. DNSSEC - FIGHT! Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Joe Baptista
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… David Conrad
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Wassim Haddad
- PKIgate Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Shumon Huque
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta