IETF Logo Mail Archive

Re: draft-ietf-dnsext-dnssec-gost

Olafur Gudmundsson <ogud@ogud.com> Tue, 16 February 2010 00:42 UTC

Return-Path: <ogud@ogud.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 607263A7BF3 for <ietf@core3.amsl.com>; Mon, 15 Feb 2010 16:42:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.66
X-Spam-Level:
X-Spam-Status: No, score=-2.66 tagged_above=-999 required=5 tests=[AWL=-0.061, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bIPddSTyqJMr for <ietf@core3.amsl.com>; Mon, 15 Feb 2010 16:42:20 -0800 (PST)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by core3.amsl.com (Postfix) with ESMTP id 365CD3A7A3C for <ietf@ietf.org>; Mon, 15 Feb 2010 16:42:20 -0800 (PST)
Received: from [IPv6:::1] (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id o1G0hnP0096176 for <ietf@ietf.org>; Mon, 15 Feb 2010 19:43:49 -0500 (EST) (envelope-from ogud@ogud.com)
Message-ID: <4B79EA46.2080509@ogud.com>
Date: Mon, 15 Feb 2010 19:43:50 -0500
From: Olafur Gudmundsson <ogud@ogud.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1
MIME-Version: 1.0
To: ietf@ietf.org
Subject: Re: draft-ietf-dnsext-dnssec-gost
References: <201002152337.o1FNbbji028843@fs4113.wdf.sap.corp>
In-Reply-To: <201002152337.o1FNbbji028843@fs4113.wdf.sap.corp>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.67 on 10.20.30.4
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Feb 2010 00:42:21 -0000

On 15/02/2010 6:37 PM, Martin Rex wrote:
> Mark Andrews wrote:
>>
>> In message<201002151420.o1FEKCMx024227@fs4113.wdf.sap.corp>, Martin Rex writes
>> :
>>> OK, I'm sorry.  For the DNSsec GOST signature I-D, the default/prefered (?)
>>> parameter sets are explicitly listed in last paragraph of section 2
>>> of draft-ietf-dnsext-dnssec-gost-06.  However, it does _NOT_ say what to
>>> do if GOST R34.10-2001 signatures with other parameter sets are encountered.
>>
>> Since each end adds the parameters and they are NOT transmitted this
>> can never happen.  If one end was to change the parameters then nothing
>> would validate.
>
>
> OK.  I didn't know anything abouth DNSSEC when I entered the disussion...
>
>
> Having scanned some of the available document (rfc-4034,rfc-4035,rfc-2536
> and the expired I-D draft-ietf-dnsext-ecc-key-10.txt) I'm wondering
> about the following:
>
>    - the DNS security algorithm tag ought to be GOST R34.10-2001
>      and not just "GOST"

This is a good point, adding a version label is a possiblity in this
case or just in the future cases, but I think slapping one on
this is fine.

>
>    - DSA and the expired ECC draft spell out the entire algorithm
>      parameters in the key RRs, which preclues having to assign
>      additional algorithm identifiers if a necessity comes up to
>      use different algorithm parameters.
DSA did not cover the case if the key is > 1024 bit.
ECC draft was killed due to the fact it was impossible to guarantee that
a implementation supporting ECC would be able to handle all the
possible curves that the proposal allowed.


>
>      Wouldn't it be sensible to do the same for GOST R34.10-2001 keys --
>      i.e. list the parameter set as part of the public key data?
>      Given the procedure of the standardization body that defines GOST
>      the parameter set OID could be used in alternative to spelling
>      out each of the element in the parameter set in full.
>      Implying the paramter set A for the GOST R34.10-2001 algorithm does
>      not seem very "agile", given the limited number range for the algorithm
>      field in DNS security.
>
For interoperability reasons we WANT MINIMAL flexibility for 
implementors/users. Thus we stripped all that out and picked ONE
possible GOST/2001 curve.

> Given the differences between -1994 and -2001 versions,
> any successor GOST R34.10-201X standard may not be able to reuse
> the DNSKEY record anyway and need a new algorithm identifier.
> And at that point, an unqualified label "GOST" would become
> ambiguous.
>
see above,


	Olafur (document shepeard)

v2.23.0 | Report a Bug | By Email