Re: draft-ietf-dnsext-dnssec-gost
Olafur Gudmundsson <ogud@ogud.com> Fri, 19 February 2010 10:47 UTC
Return-Path: <ogud@ogud.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5957D3A8130 for <ietf@core3.amsl.com>; Fri, 19 Feb 2010 02:47:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.471
X-Spam-Level:
X-Spam-Status: No, score=-2.471 tagged_above=-999 required=5 tests=[AWL=0.128, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R6QGXuFCpBMR for <ietf@core3.amsl.com>; Fri, 19 Feb 2010 02:47:02 -0800 (PST)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by core3.amsl.com (Postfix) with ESMTP id 361CE3A812B for <ietf@ietf.org>; Fri, 19 Feb 2010 02:47:02 -0800 (PST)
Received: from [IPv6:::1] (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id o1JAmeQ0032998 for <ietf@ietf.org>; Fri, 19 Feb 2010 05:48:41 -0500 (EST) (envelope-from ogud@ogud.com)
Message-ID: <4B7E6C88.2090206@ogud.com>
Date: Fri, 19 Feb 2010 05:48:40 -0500
From: Olafur Gudmundsson <ogud@ogud.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1
MIME-Version: 1.0
To: ietf@ietf.org
Subject: Re: draft-ietf-dnsext-dnssec-gost
References: <201002152337.o1FNbbji028843@fs4113.wdf.sap.corp> <4B79EA46.2080509@ogud.com>
In-Reply-To: <4B79EA46.2080509@ogud.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.67 on 10.20.30.4
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2010 10:47:03 -0000
On 15/02/2010 7:43 PM, Olafur Gudmundsson wrote: > On 15/02/2010 6:37 PM, Martin Rex wrote: >> Mark Andrews wrote: >>> >>> In message<201002151420.o1FEKCMx024227@fs4113.wdf.sap.corp>, Martin >>> Rex writes >>> : >>>> OK, I'm sorry. For the DNSsec GOST signature I-D, the >>>> default/prefered (?) >>>> parameter sets are explicitly listed in last paragraph of section 2 >>>> of draft-ietf-dnsext-dnssec-gost-06. However, it does _NOT_ say what to >>>> do if GOST R34.10-2001 signatures with other parameter sets are >>>> encountered. >>> >>> Since each end adds the parameters and they are NOT transmitted this >>> can never happen. If one end was to change the parameters then nothing >>> would validate. >> >> >> OK. I didn't know anything abouth DNSSEC when I entered the disussion... >> >> >> Having scanned some of the available document (rfc-4034,rfc-4035,rfc-2536 >> and the expired I-D draft-ietf-dnsext-ecc-key-10.txt) I'm wondering >> about the following: >> >> - the DNS security algorithm tag ought to be GOST R34.10-2001 >> and not just "GOST" > > This is a good point, adding a version label is a possiblity in this > case or just in the future cases, but I think slapping one on > this is fine. > >> >> - DSA and the expired ECC draft spell out the entire algorithm >> parameters in the key RRs, which preclues having to assign >> additional algorithm identifiers if a necessity comes up to >> use different algorithm parameters. > DSA did not cover the case if the key is > 1024 bit. > ECC draft was killed due to the fact it was impossible to guarantee that > a implementation supporting ECC would be able to handle all the > possible curves that the proposal allowed. > > >> >> Wouldn't it be sensible to do the same for GOST R34.10-2001 keys -- >> i.e. list the parameter set as part of the public key data? >> Given the procedure of the standardization body that defines GOST >> the parameter set OID could be used in alternative to spelling >> out each of the element in the parameter set in full. >> Implying the paramter set A for the GOST R34.10-2001 algorithm does >> not seem very "agile", given the limited number range for the algorithm >> field in DNS security. >> > For interoperability reasons we WANT MINIMAL flexibility for > implementors/users. Thus we stripped all that out and picked ONE > possible GOST/2001 curve. > >> Given the differences between -1994 and -2001 versions, >> any successor GOST R34.10-201X standard may not be able to reuse >> the DNSKEY record anyway and need a new algorithm identifier. >> And at that point, an unqualified label "GOST" would become >> ambiguous. >> > see above, > > > Olafur (document shepeard) > Martin, Based on your comments and the possible confusion over registering the memonic "GOST" for DNSSEC, I think it would be wise to change the DNSKEY Memonic to "ECC-GOST". Olafur (document shepeard) PS: orignally we registered RSA for RSA/MD5 combination, then we got RSASHA1, RSASH256, RSASHA1NSEC3 ......, thus the first registered should not get a special shoter name than later variants :-)
- Re: draft-ietf-dnsext-dnssec-gost Paul Hoffman
- Re: draft-ietf-dnsext-dnssec-gost Olafur Gudmundsson
- draft-ietf-dnsext-dnssec-gost Stephen Kent
- Re: draft-ietf-dnsext-dnssec-gost Andrew Sullivan
- Re: draft-ietf-dnsext-dnssec-gost Paul Hoffman
- Re: draft-ietf-dnsext-dnssec-gost Richard L. Barnes
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Michael Dillon
- Re: draft-ietf-dnsext-dnssec-gost Sean Turner
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Sean Turner
- Re: draft-ietf-dnsext-dnssec-gost Basil Dolmatov
- Re: draft-ietf-dnsext-dnssec-gost Basil Dolmatov
- Re: draft-ietf-dnsext-dnssec-gost Stephen Farrell
- Re: draft-ietf-dnsext-dnssec-gost Andrew Sullivan
- Re: draft-ietf-dnsext-dnssec-gost Stephen Kent
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost David Conrad
- Re: draft-ietf-dnsext-dnssec-gost Edward Lewis
- Re: draft-ietf-dnsext-dnssec-gost Sean Turner
- Re: draft-ietf-dnsext-dnssec-gost Olafur Gudmundsson
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Basil Dolmatov
- Re: draft-ietf-dnsext-dnssec-gost Basil Dolmatov
- Re: draft-ietf-dnsext-dnssec-gost ned+ietf
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Stephen Kent
- Re: draft-ietf-dnsext-dnssec-gost Stephen Kent
- RE: draft-ietf-dnsext-dnssec-gost Rex, Martin
- Re: draft-ietf-dnsext-dnssec-gost Spencer Dawkins
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Mark Andrews
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Olafur Gudmundsson
- Re: draft-ietf-dnsext-dnssec-gost Olafur Gudmundsson
- Re: draft-ietf-dnsext-dnssec-gost Basil Dolmatov
- Re: draft-ietf-dnsext-dnssec-gost Andrew Sullivan
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Ran Atkinson
- Re: draft-ietf-dnsext-dnssec-gost Phillip Hallam-baker
- Re: draft-ietf-dnsext-dnssec-gost Phillip Hallam-baker
- Re: draft-ietf-dnsext-dnssec-gost Olafur Gudmundsson