Re: draft-ietf-dnsext-dnssec-gost
Basil Dolmatov <dol@cryptocom.ru> Tue, 16 February 2010 10:17 UTC
Return-Path: <dol@cryptocom.ru>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A89253A7CB1 for <ietf@core3.amsl.com>; Tue, 16 Feb 2010 02:17:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.129
X-Spam-Level:
X-Spam-Status: No, score=-1.129 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UfnOsNnu9kVO for <ietf@core3.amsl.com>; Tue, 16 Feb 2010 02:17:16 -0800 (PST)
Received: from mx.cryptocom.ru (mx.cryptocom.ru [89.188.97.107]) by core3.amsl.com (Postfix) with ESMTP id 888ED3A7CB7 for <ietf@ietf.org>; Tue, 16 Feb 2010 02:17:16 -0800 (PST)
Received: from [10.51.22.241] (reedcat.lan.cryptocom.ru [10.51.22.241]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.cryptocom.ru (Postfix) with ESMTP id C5359465FA; Tue, 16 Feb 2010 13:18:48 +0300 (MSK)
Message-ID: <4B7A7108.7020600@cryptocom.ru>
Date: Tue, 16 Feb 2010 13:18:48 +0300
From: Basil Dolmatov <dol@cryptocom.ru>
User-Agent: Thunderbird 2.0.0.23 (X11/20090817)
MIME-Version: 1.0
To: mrex@sap.com
Subject: Re: draft-ietf-dnsext-dnssec-gost
References: <201002151821.o1FILvoF009275@fs4113.wdf.sap.corp>
In-Reply-To: <201002151821.o1FILvoF009275@fs4113.wdf.sap.corp>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Feb 2010 10:17:17 -0000
Martin Rex пишет: > > > > What I don't understand is whether the deprecation applies to > GOST R34.10-1994 in general, Yes. > or only to GOST R34.10-1994 as a > signature algorithm. No. > > > I am somewhat illiterate to crypto math, so I'm wondering whether > it is technicall possible to use a GOST R34.10-1994 key agreement > (ephemeral keys) in conjunction with GOST R34.10-2001 certs&signatures, Never ever interested. ;) > and if yes -- whether that is still permitted by russian authorities. No. I should correct myself, the check against relevant documentation showed that it was more prolonged grace period allowed by authorities. The usage of GOST R 34.10-94 is fully prohibited starting 1 of January 2008. With one exception: it is allowed to check signatures under already signed archived documents using this algorithm. As for TLS, using GOST R 34.10-94, this is fully non-compliant to Russian standards and should not be used. Definitely, noone can be obliged to follow this outside the Russia or when using crypto in home environment or something of the kind. Nevertheless, I would consider following this as a strong guideline because of two thoughts: - first of all, I think there was some reason for creating and putting into operation of new standard, spending a lot on its preparation and transition to it (consider GOST 28147-89, which is active for 20 years) - no certified software/hardware will support deprecated algorithm, so there definitely will interoperability problems. I would like to return to topic, which concerns with the document describing the DNSSec extension with GOST algoritm. This document quotes RFC4357 as a reference to the used parameter set. Nothing more. This document uses the only valid set of GOST algorithms for the purpose of usage in the DNSSec . In this document no TLS is used, no key agreement procedures are used, etc. dol@ ============ new topic ======== I think that the representation of GOST algorithms in IETF is relatively poor now. There should be several other documents which makes the structure and usage of these algorithms more clear for those who will be willing to implement it and for those who suddenly found it been implemented in his/her software/hardware already. This work has been already started from publication of standards' translation to English as Informational RFCs to have some basiv reference point. Then, there should be other document, describing implementation of GOST algorithm in detail in the manner to which IETF community is used to (The style of Russian standards is really hard for comprehension). There will be a lot of issues (defining scopes, fixing parameter sets, setting OIDs, ensuring non-controversity with existing implementations, etc.) which have to be solved when preparing this document, some of them were quoted in different GOST-relevant discussions. All of these comments are carefully collected and I hope will help a lot when preparing this document. dol@ > > > > -Martin >
- Re: draft-ietf-dnsext-dnssec-gost Paul Hoffman
- Re: draft-ietf-dnsext-dnssec-gost Olafur Gudmundsson
- draft-ietf-dnsext-dnssec-gost Stephen Kent
- Re: draft-ietf-dnsext-dnssec-gost Andrew Sullivan
- Re: draft-ietf-dnsext-dnssec-gost Paul Hoffman
- Re: draft-ietf-dnsext-dnssec-gost Richard L. Barnes
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Michael Dillon
- Re: draft-ietf-dnsext-dnssec-gost Sean Turner
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Sean Turner
- Re: draft-ietf-dnsext-dnssec-gost Basil Dolmatov
- Re: draft-ietf-dnsext-dnssec-gost Basil Dolmatov
- Re: draft-ietf-dnsext-dnssec-gost Stephen Farrell
- Re: draft-ietf-dnsext-dnssec-gost Andrew Sullivan
- Re: draft-ietf-dnsext-dnssec-gost Stephen Kent
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost David Conrad
- Re: draft-ietf-dnsext-dnssec-gost Edward Lewis
- Re: draft-ietf-dnsext-dnssec-gost Sean Turner
- Re: draft-ietf-dnsext-dnssec-gost Olafur Gudmundsson
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Basil Dolmatov
- Re: draft-ietf-dnsext-dnssec-gost Basil Dolmatov
- Re: draft-ietf-dnsext-dnssec-gost ned+ietf
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Stephen Kent
- Re: draft-ietf-dnsext-dnssec-gost Stephen Kent
- RE: draft-ietf-dnsext-dnssec-gost Rex, Martin
- Re: draft-ietf-dnsext-dnssec-gost Spencer Dawkins
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Mark Andrews
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Olafur Gudmundsson
- Re: draft-ietf-dnsext-dnssec-gost Olafur Gudmundsson
- Re: draft-ietf-dnsext-dnssec-gost Basil Dolmatov
- Re: draft-ietf-dnsext-dnssec-gost Andrew Sullivan
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Ran Atkinson
- Re: draft-ietf-dnsext-dnssec-gost Phillip Hallam-baker
- Re: draft-ietf-dnsext-dnssec-gost Phillip Hallam-baker
- Re: draft-ietf-dnsext-dnssec-gost Olafur Gudmundsson