IETF Logo Mail Archive

Re: draft-ietf-dnsext-dnssec-gost

Phillip Hallam-baker <hallam@gmail.com> Mon, 15 February 2010 17:59 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E6B8928C1FF for <ietf@core3.amsl.com>; Mon, 15 Feb 2010 09:59:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zEVLHAVwmScg for <ietf@core3.amsl.com>; Mon, 15 Feb 2010 09:59:05 -0800 (PST)
Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.24]) by core3.amsl.com (Postfix) with ESMTP id 9D0C728C1F0 for <ietf@ietf.org>; Mon, 15 Feb 2010 09:59:05 -0800 (PST)
Received: by qw-out-2122.google.com with SMTP id 9so68700qwb.31 for <ietf@ietf.org>; Mon, 15 Feb 2010 10:00:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:references:message-id:from:to :in-reply-to:content-type:content-transfer-encoding:x-mailer :mime-version:subject:date:cc; bh=I5NUCbrRQfSqaXq2iLCTDyJrSpclsFkS/41ai4+S078=; b=NvJiZat44uCnF5w/F/IV4v4xHsFLEQLhzK5v85DmReENCLKABHCyIsi0ZLa7Io4nZZ NnzCEV+AQwpJzS9/Q+zUpRDNc9NJZDiEKi9T8584qINtlIgoSOredt2GXjV66L/1PalQ ZyQxStbuJ/SY+m6BnWgkkm2lP87lVFtKr2+io=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=references:message-id:from:to:in-reply-to:content-type :content-transfer-encoding:x-mailer:mime-version:subject:date:cc; b=ttxX22LS/evT3C4lD8hjpFL3klb87kwub/01y33ODE8DxibR1HDXqZu4KeWfISZzqn k6jezt791TBgkXoIzpnDWJ1RSb0/1UK2vryxAAmr3FpBK5Y2wDC9k2i0DvchG2n1i7QQ iCs3HIEwS6XyRD/Dpq5iHXkxVKzfgXTx5yzNA=
Received: by 10.224.66.66 with SMTP id m2mr136605qai.264.1266256831037; Mon, 15 Feb 2010 10:00:31 -0800 (PST)
Received: from ?10.155.67.191? ([32.141.234.73]) by mx.google.com with ESMTPS id 21sm4434659qyk.0.2010.02.15.10.00.26 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 15 Feb 2010 10:00:29 -0800 (PST)
References: <201002130251.o1D2pjGt012896@fs4113.wdf.sap.corp> <4B76DD50.5070404@cryptocom.ru> <D28848FB278CE54FB6A302F413ECF73005A4A5C41E@DEWDFECCR07.wdf.sap.corp>
Message-Id: <A9418A26-869B-4329-A8CB-90FD229E8D71@gmail.com>
From: Phillip Hallam-baker <hallam@gmail.com>
To: "Rex, Martin" <martin.rex@sap.com>
In-Reply-To: <D28848FB278CE54FB6A302F413ECF73005A4A5C41E@DEWDFECCR07.wdf.sap.corp>
Content-Type: text/plain; charset="us-ascii"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
X-Mailer: iPhone Mail (5H11)
Mime-Version: 1.0 (iPhone Mail 5H11)
Subject: Re: draft-ietf-dnsext-dnssec-gost
Date: Mon, 15 Feb 2010 12:59:58 -0500
X-Mailman-Approved-At: Tue, 16 Feb 2010 08:09:52 -0800
Cc: "ietf@ietf.org" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2010 17:59:07 -0000

Perhaps it would help elucidate matters if we knew the precise criteria

In particular, is the requirement to support Gost or is it that all  
the algs used be approved

If the second case 1) what would be the root zone criteria and 2)  
would these regulation issues disappear if the root zone were  
differently managed?


Sent from my iPhone

On Feb 15, 2010, at 10:09 AM, "Rex, Martin" <martin.rex@sap.com> wrote:

>
>
>> -----Original Message-----
>>    This document:
>>
>>
>> http://tools.ietf.org/html/draft-dolmatov-cryptocom-gost34102001-08
>>
>>    says
>>
>>    section 1.1:
>>
>>       4. GOST R 34.10-2001 replaces GOST R 34.10-94.
>>
>>    section 1,2:
>>
>>       GOST R 34.10-2001 is developed to replace GOST R 34.10-94.
>>
>>
>> Both statement are right.
>
> :-)
>
> Both statements are completely useless.
>
> AES is a replacement/successor to DES.
> SHA-2 is a replacement to SHA-1.  So what?
>
> Getting rfc-4357 published without the slightest indication
> that the acceptibility of GOST R34.10-1994 had already expired
> 2 years before is a serious problem in that document.
>
> What really confuses me is that software that there are
> GOST toolkits shipped even today that support GOST R34.10-1994.
>
> OpenSSL also contains an implementation of GOST R34.10-1994
> and the GOST TLS ciphersuites draft also contains a ciphersuite
> with a GOST R34.10-1994 signaturer algorithm.
>
>
> In effect, whether and how much GOST R34.10-1994 is deprecated
> remains a complete mystery.
>
>
>>
>>
>> 2. GOST R 34.10-2001 was accepted and activated by the Act 380-st of
>>   12.09.2001 issued by the Russian federal committee for standards.
>>
>>   ...
>>
>> 4. GOST R 34.10-2001 replaces GOST R 34.10-94.
>>
>> So, GOST -1994 for digital signature _is_ deprecated and
>> replaced from 12.09.2001.
>>
>> The transition period is not stated explicitly because it is
>> obvious from standard procedure of certification in Russia.
>
>
> I would like to remind you that we are the IETF here, and
> that implementations of DNS-SEC must remain possible without
> an official certification in Russia.
>
> DNS-SEC would not make much sense if it could not be used
> by implementations that are _not_ certified in Russia.
>
>
>>
>>    That information OUGHT to have been added to rfc-4357
>> and it ought to be
>>    added to draft-dolmatov-cryptocom-gost34102001-08.
>>
>> Why?
>> Now is 2010, and all implementations of -1994 standard have
>> been completely phased out more than 5 years ago.
>
>
> There seems to be a disagreement between this statement and
> reality.
>
> The GOST crypto toolkit shipped by the Company CryptoPro
> (author behind rfc-4357 and draft-chudov-cryptopro-cptls-04)
> still implements GOST R34.10-1994, and both documents
> list GOST R34.10-1994 in a fashion that does _NOT_
> suggest that this algorithm may no longer be used.
>
> The GOST implementation in OpenSSL, provided by a different
> russian company, also implements/provides GOST R34.10-1994.
>
>
>>
>> This statement was inserted following the advice of Russ Housley.
>>
>> The main reason for that was that this text is a
>> _translation_ of the text of official Russian state standard.
>> At the moment of its creation this text was thoroughly
>> checked with authors of original standard for consistency.
>> Any editorial changes/corrections could diverge the
>> translation from the original, which is undesirable.
>>
>> I agreed with this Russ's reasoning.
>
>
> I agree to the intent.
>
> The words that were used are very inadequate and misleading.
>
> This is not the first RFC that represents a republication of
> a standard controlled by a different standardization body
> or private entity.
>
> Just use something like your explanation instead, and
> it will likely have the desired effect on the comments
> you receive for this document.
>
> Random other example for how other RFCs have done this:
>
> RFC-2986 (PKCS-10) http://tools.ietf.org/html/rfc2986
>
>   Abstract
>
>   This memo represents a republication of PKCS #10 v1.7 from RSA
>   Laboratories' Public-Key Cryptography Standards (PKCS) series, and
>   change control is retained within the PKCS process.  The body of  
> this
>   document, except for the security considerations section, is taken
>   directly from the PKCS #9 v2.0 or the PKCS #10 v1.7 document.
>
>
>>
>> I do understand that the structure and the style of these
>> documents are unfamiliar to the significant part of
>> community, but this is because of the fact it is
>> _a_translation_ of official standard text.
>> It is not a retelliing or compilation, it is a _translation_.
>>
>> And it is intended to exist as a reference to the  origin,
>> when creating further IETF documents, which will be pure IETF
>> documents and will be commented and edited when necessary.
>
>
> A republication only makes sense if it is sufficient to
> understand and implement the technology.  If you respond
> to a request for clarification with
>
> "because it is obvious from standard procedure of
> certification in Russia."
>
> then there may be a significant misunderstanding about
> the purpose of informational RFC documents.  That only
> makes sense if it is sufficiently complete and clear
> to allow for independent interoperable implementations
> of IETF protocols.
>
>
> -Martin
> _______________________________________________
> Ietf mailing list
> Ietf@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email