IETF Logo Mail Archive

Re: draft-ietf-dnsext-dnssec-gost

Olafur Gudmundsson <ogud@ogud.com> Fri, 19 February 2010 10:47 UTC

Return-Path: <ogud@ogud.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5957D3A8130 for <ietf@core3.amsl.com>; Fri, 19 Feb 2010 02:47:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.471
X-Spam-Level:
X-Spam-Status: No, score=-2.471 tagged_above=-999 required=5 tests=[AWL=0.128, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R6QGXuFCpBMR for <ietf@core3.amsl.com>; Fri, 19 Feb 2010 02:47:02 -0800 (PST)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by core3.amsl.com (Postfix) with ESMTP id 361CE3A812B for <ietf@ietf.org>; Fri, 19 Feb 2010 02:47:02 -0800 (PST)
Received: from [IPv6:::1] (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id o1JAmeQ0032998 for <ietf@ietf.org>; Fri, 19 Feb 2010 05:48:41 -0500 (EST) (envelope-from ogud@ogud.com)
Message-ID: <4B7E6C88.2090206@ogud.com>
Date: Fri, 19 Feb 2010 05:48:40 -0500
From: Olafur Gudmundsson <ogud@ogud.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1
MIME-Version: 1.0
To: ietf@ietf.org
Subject: Re: draft-ietf-dnsext-dnssec-gost
References: <201002152337.o1FNbbji028843@fs4113.wdf.sap.corp> <4B79EA46.2080509@ogud.com>
In-Reply-To: <4B79EA46.2080509@ogud.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.67 on 10.20.30.4
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2010 10:47:03 -0000

On 15/02/2010 7:43 PM, Olafur Gudmundsson wrote:
> On 15/02/2010 6:37 PM, Martin Rex wrote:
>> Mark Andrews wrote:
>>>
>>> In message<201002151420.o1FEKCMx024227@fs4113.wdf.sap.corp>, Martin
>>> Rex writes
>>> :
>>>> OK, I'm sorry. For the DNSsec GOST signature I-D, the
>>>> default/prefered (?)
>>>> parameter sets are explicitly listed in last paragraph of section 2
>>>> of draft-ietf-dnsext-dnssec-gost-06. However, it does _NOT_ say what to
>>>> do if GOST R34.10-2001 signatures with other parameter sets are
>>>> encountered.
>>>
>>> Since each end adds the parameters and they are NOT transmitted this
>>> can never happen. If one end was to change the parameters then nothing
>>> would validate.
>>
>>
>> OK. I didn't know anything abouth DNSSEC when I entered the disussion...
>>
>>
>> Having scanned some of the available document (rfc-4034,rfc-4035,rfc-2536
>> and the expired I-D draft-ietf-dnsext-ecc-key-10.txt) I'm wondering
>> about the following:
>>
>> - the DNS security algorithm tag ought to be GOST R34.10-2001
>> and not just "GOST"
>
> This is a good point, adding a version label is a possiblity in this
> case or just in the future cases, but I think slapping one on
> this is fine.
>
>>
>> - DSA and the expired ECC draft spell out the entire algorithm
>> parameters in the key RRs, which preclues having to assign
>> additional algorithm identifiers if a necessity comes up to
>> use different algorithm parameters.
> DSA did not cover the case if the key is > 1024 bit.
> ECC draft was killed due to the fact it was impossible to guarantee that
> a implementation supporting ECC would be able to handle all the
> possible curves that the proposal allowed.
>
>
>>
>> Wouldn't it be sensible to do the same for GOST R34.10-2001 keys --
>> i.e. list the parameter set as part of the public key data?
>> Given the procedure of the standardization body that defines GOST
>> the parameter set OID could be used in alternative to spelling
>> out each of the element in the parameter set in full.
>> Implying the paramter set A for the GOST R34.10-2001 algorithm does
>> not seem very "agile", given the limited number range for the algorithm
>> field in DNS security.
>>
> For interoperability reasons we WANT MINIMAL flexibility for
> implementors/users. Thus we stripped all that out and picked ONE
> possible GOST/2001 curve.
>
>> Given the differences between -1994 and -2001 versions,
>> any successor GOST R34.10-201X standard may not be able to reuse
>> the DNSKEY record anyway and need a new algorithm identifier.
>> And at that point, an unqualified label "GOST" would become
>> ambiguous.
>>
> see above,
>
>
> Olafur (document shepeard)
>
Martin,

Based on your comments and the possible confusion over registering the
memonic "GOST" for DNSSEC, I think it would be wise to change the DNSKEY 
Memonic to "ECC-GOST".

	Olafur (document shepeard)
PS: orignally we registered RSA for RSA/MD5 combination, then we got 
RSASHA1, RSASH256, RSASHA1NSEC3 ......, thus the first registered should 
not get a special shoter name than later variants :-)

v2.23.0 | Report a Bug | By Email