Re: draft-ietf-dnsext-dnssec-gost

Basil Dolmatov <> Tue, 16 February 2010 10:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A89253A7CB1 for <>; Tue, 16 Feb 2010 02:17:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.129
X-Spam-Status: No, score=-1.129 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UfnOsNnu9kVO for <>; Tue, 16 Feb 2010 02:17:16 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 888ED3A7CB7 for <>; Tue, 16 Feb 2010 02:17:16 -0800 (PST)
Received: from [] ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTP id C5359465FA; Tue, 16 Feb 2010 13:18:48 +0300 (MSK)
Message-ID: <>
Date: Tue, 16 Feb 2010 13:18:48 +0300
From: Basil Dolmatov <>
User-Agent: Thunderbird (X11/20090817)
MIME-Version: 1.0
Subject: Re: draft-ietf-dnsext-dnssec-gost
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 16 Feb 2010 10:17:17 -0000

Martin Rex пишет:

> What I don't understand is whether the deprecation applies to
> GOST R34.10-1994 in general, 
> or only to GOST R34.10-1994 as a
> signature algorithm.
> I am somewhat illiterate to crypto math, so I'm wondering whether
> it is technicall possible to use a GOST R34.10-1994 key agreement
> (ephemeral keys) in conjunction with GOST R34.10-2001 certs&signatures,
Never ever interested. ;)
> and if yes -- whether that is still permitted by russian authorities.

I should correct myself, the check against relevant documentation showed 
that it was more prolonged grace period allowed by authorities.

The usage of GOST R 34.10-94 is fully prohibited starting 1 of January 2008.
With one exception: it is allowed to check signatures under already 
signed archived documents using this algorithm.

As for TLS, using GOST R 34.10-94, this is fully non-compliant to 
Russian standards and should not be used.

Definitely, noone can be obliged to follow this outside the Russia or 
when using crypto in home environment or something of the kind.

Nevertheless, I would consider following this as a strong guideline 
because of two thoughts:
  - first of all, I think there was some reason for creating and putting 
into operation of new standard, spending a lot on its preparation and 
transition to it (consider GOST 28147-89, which is active for 20 years)
  - no certified software/hardware will support deprecated algorithm, so 
there definitely will interoperability problems.

I would like to return to topic, which concerns with the document 
describing the DNSSec extension with GOST algoritm.
This document quotes RFC4357 as a reference to the used parameter set. 
Nothing more.

This document uses the only valid set of GOST algorithms for the purpose 
of usage in the DNSSec . In this document no TLS is used, no key 
agreement procedures are used, etc.


============ new topic ========

I think that the representation of GOST algorithms in IETF is relatively 
poor now. There should be several other documents which makes the 
structure and usage of these algorithms more clear for those who will be 
willing to implement it and for those who suddenly found it been 
implemented in his/her software/hardware already.
This work has been already started from publication of standards' 
translation to English as Informational RFCs to have some basiv 
reference point. Then, there should be other document, describing 
implementation of GOST algorithm in detail in the manner to which IETF 
community is used to (The style of Russian standards is really hard for 
comprehension). There will be a lot of issues (defining scopes, fixing 
parameter sets, setting OIDs, ensuring non-controversity with existing 
implementations, etc.) which have to be solved when preparing this 
document, some of them were quoted in different GOST-relevant 
discussions. All of these comments are carefully collected and I hope 
will help a lot when preparing this document.


> -Martin