Re: draft-ietf-dnsext-dnssec-gost
Olafur Gudmundsson <ogud@ogud.com> Tue, 16 February 2010 00:42 UTC
Return-Path: <ogud@ogud.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 607263A7BF3 for <ietf@core3.amsl.com>; Mon, 15 Feb 2010 16:42:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.66
X-Spam-Level:
X-Spam-Status: No, score=-2.66 tagged_above=-999 required=5 tests=[AWL=-0.061, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bIPddSTyqJMr for <ietf@core3.amsl.com>; Mon, 15 Feb 2010 16:42:20 -0800 (PST)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by core3.amsl.com (Postfix) with ESMTP id 365CD3A7A3C for <ietf@ietf.org>; Mon, 15 Feb 2010 16:42:20 -0800 (PST)
Received: from [IPv6:::1] (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id o1G0hnP0096176 for <ietf@ietf.org>; Mon, 15 Feb 2010 19:43:49 -0500 (EST) (envelope-from ogud@ogud.com)
Message-ID: <4B79EA46.2080509@ogud.com>
Date: Mon, 15 Feb 2010 19:43:50 -0500
From: Olafur Gudmundsson <ogud@ogud.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1
MIME-Version: 1.0
To: ietf@ietf.org
Subject: Re: draft-ietf-dnsext-dnssec-gost
References: <201002152337.o1FNbbji028843@fs4113.wdf.sap.corp>
In-Reply-To: <201002152337.o1FNbbji028843@fs4113.wdf.sap.corp>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.67 on 10.20.30.4
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Feb 2010 00:42:21 -0000
On 15/02/2010 6:37 PM, Martin Rex wrote: > Mark Andrews wrote: >> >> In message<201002151420.o1FEKCMx024227@fs4113.wdf.sap.corp>, Martin Rex writes >> : >>> OK, I'm sorry. For the DNSsec GOST signature I-D, the default/prefered (?) >>> parameter sets are explicitly listed in last paragraph of section 2 >>> of draft-ietf-dnsext-dnssec-gost-06. However, it does _NOT_ say what to >>> do if GOST R34.10-2001 signatures with other parameter sets are encountered. >> >> Since each end adds the parameters and they are NOT transmitted this >> can never happen. If one end was to change the parameters then nothing >> would validate. > > > OK. I didn't know anything abouth DNSSEC when I entered the disussion... > > > Having scanned some of the available document (rfc-4034,rfc-4035,rfc-2536 > and the expired I-D draft-ietf-dnsext-ecc-key-10.txt) I'm wondering > about the following: > > - the DNS security algorithm tag ought to be GOST R34.10-2001 > and not just "GOST" This is a good point, adding a version label is a possiblity in this case or just in the future cases, but I think slapping one on this is fine. > > - DSA and the expired ECC draft spell out the entire algorithm > parameters in the key RRs, which preclues having to assign > additional algorithm identifiers if a necessity comes up to > use different algorithm parameters. DSA did not cover the case if the key is > 1024 bit. ECC draft was killed due to the fact it was impossible to guarantee that a implementation supporting ECC would be able to handle all the possible curves that the proposal allowed. > > Wouldn't it be sensible to do the same for GOST R34.10-2001 keys -- > i.e. list the parameter set as part of the public key data? > Given the procedure of the standardization body that defines GOST > the parameter set OID could be used in alternative to spelling > out each of the element in the parameter set in full. > Implying the paramter set A for the GOST R34.10-2001 algorithm does > not seem very "agile", given the limited number range for the algorithm > field in DNS security. > For interoperability reasons we WANT MINIMAL flexibility for implementors/users. Thus we stripped all that out and picked ONE possible GOST/2001 curve. > Given the differences between -1994 and -2001 versions, > any successor GOST R34.10-201X standard may not be able to reuse > the DNSKEY record anyway and need a new algorithm identifier. > And at that point, an unqualified label "GOST" would become > ambiguous. > see above, Olafur (document shepeard)
- Re: draft-ietf-dnsext-dnssec-gost Paul Hoffman
- Re: draft-ietf-dnsext-dnssec-gost Olafur Gudmundsson
- draft-ietf-dnsext-dnssec-gost Stephen Kent
- Re: draft-ietf-dnsext-dnssec-gost Andrew Sullivan
- Re: draft-ietf-dnsext-dnssec-gost Paul Hoffman
- Re: draft-ietf-dnsext-dnssec-gost Richard L. Barnes
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Michael Dillon
- Re: draft-ietf-dnsext-dnssec-gost Sean Turner
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Sean Turner
- Re: draft-ietf-dnsext-dnssec-gost Basil Dolmatov
- Re: draft-ietf-dnsext-dnssec-gost Basil Dolmatov
- Re: draft-ietf-dnsext-dnssec-gost Stephen Farrell
- Re: draft-ietf-dnsext-dnssec-gost Andrew Sullivan
- Re: draft-ietf-dnsext-dnssec-gost Stephen Kent
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost David Conrad
- Re: draft-ietf-dnsext-dnssec-gost Edward Lewis
- Re: draft-ietf-dnsext-dnssec-gost Sean Turner
- Re: draft-ietf-dnsext-dnssec-gost Olafur Gudmundsson
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Basil Dolmatov
- Re: draft-ietf-dnsext-dnssec-gost Basil Dolmatov
- Re: draft-ietf-dnsext-dnssec-gost ned+ietf
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Stephen Kent
- Re: draft-ietf-dnsext-dnssec-gost Stephen Kent
- RE: draft-ietf-dnsext-dnssec-gost Rex, Martin
- Re: draft-ietf-dnsext-dnssec-gost Spencer Dawkins
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Mark Andrews
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Olafur Gudmundsson
- Re: draft-ietf-dnsext-dnssec-gost Olafur Gudmundsson
- Re: draft-ietf-dnsext-dnssec-gost Basil Dolmatov
- Re: draft-ietf-dnsext-dnssec-gost Andrew Sullivan
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Ran Atkinson
- Re: draft-ietf-dnsext-dnssec-gost Phillip Hallam-baker
- Re: draft-ietf-dnsext-dnssec-gost Phillip Hallam-baker
- Re: draft-ietf-dnsext-dnssec-gost Olafur Gudmundsson