Re: [keyassure] Opening issue #21: "Need to specify which crypto algorithms and certificate types are mandatory to implement"
Phillip Hallam-Baker <hallam@gmail.com> Fri, 04 March 2011 00:28 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B47743A68E2 for <keyassure@core3.amsl.com>; Thu, 3 Mar 2011 16:28:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.562
X-Spam-Level:
X-Spam-Status: No, score=-3.562 tagged_above=-999 required=5 tests=[AWL=0.036, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o92Q3Podq3tW for <keyassure@core3.amsl.com>; Thu, 3 Mar 2011 16:28:46 -0800 (PST)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by core3.amsl.com (Postfix) with ESMTP id 94A8D3A68B5 for <keyassure@ietf.org>; Thu, 3 Mar 2011 16:28:45 -0800 (PST)
Received: by bwz13 with SMTP id 13so1951690bwz.31 for <keyassure@ietf.org>; Thu, 03 Mar 2011 16:29:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Tu9tjFncnEJJNFIt5sLqvT5w1NkgZRgP5OA+ZTu3UuA=; b=QzQqCWV9jhtmDku9pK7GpVedrSE8kFkWyl+DUzfyDOPaSXP3tGe4XRqRH6Cu1XGYZm Dnw8n1pgjgSCOouuMmutcyLU4I4Y80ktWY0hvwAUufBdxV4Z/9DEJpP/XREVIdXdPCxr EO40WXzyIogVKcFiBwYzILzuKi6ZxZRToJyTk=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=BzNiRzmVVxLripV6jI01jWwqIEc+q5RUyguhKvDGMAOadKmU+cmZgFXbl4ngW4fwKz lKo9glaX0ys394cz7qS9Qk+tHOXMMY5VVzyIv1h0Pq3Jixq1wHC7AOxOFKMcDC3z6l+T YWntLcCWyoAWKwMl3/TfhW41qXNl/hT72JYDs=
MIME-Version: 1.0
Received: by 10.204.231.2 with SMTP id jo2mr27333bkb.60.1299198593030; Thu, 03 Mar 2011 16:29:53 -0800 (PST)
Received: by 10.204.14.139 with HTTP; Thu, 3 Mar 2011 16:29:52 -0800 (PST)
In-Reply-To: <7CDBED48-C800-4169-AF59-72075BA7EC2E@kumari.net>
References: <9933A160-3DAF-42FA-B5FA-DDF185FA5C63@kumari.net> <7CDBED48-C800-4169-AF59-72075BA7EC2E@kumari.net>
Date: Thu, 03 Mar 2011 19:29:52 -0500
Message-ID: <AANLkTikMvbhbDV5UUAKeMSOZT5s3nsd7CCq=bFYBjfk0@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Warren Kumari <warren@kumari.net>
Content-Type: multipart/alternative; boundary="485b393ab631a158ad049d9d3ee9"
Cc: keyassure@ietf.org
Subject: Re: [keyassure] Opening issue #21: "Need to specify which crypto algorithms and certificate types are mandatory to implement"
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Mar 2011 00:28:47 -0000
That works for me On Thu, Mar 3, 2011 at 2:36 PM, Warren Kumari <warren@kumari.net> wrote: > Hi all, > > After watching the thread, I'd like to propose this as a strawman: > > Mandatory to implement algorithms are SHA-256 and SHA-384. For now, these > are all we specify. > > My reasoning behind this is: > 1: We don't want to support too many algorithms -- it leads to complexity > (which leads to weaker security) and opens the door to interoperability > issues and fights over why algorithm X was allowed and Y was not. > > 2: Having more than 1 algorithm forces implementations to understand that > there is not just one, and so should help lead towards algorithm agility > > 3: In order to do DANE, you have to be able to do DNSSEC -- in order to do > DNSSEC you should already support the above. > > 4: (IMO, an important one, even if not technical one) giving people the > ability to choose will lead to greater deployment. Some folk will claim that > SHA-256 is too short. Some will claim that SHA-384 is excessively long and > computationally expensive. Some will claim something completely random. > Almost none of them will have any (rational) basis for their claims, but > allowing them to use the algorithm they believe is superior will make them > more likely to deploy. > > 5: 2 algorithms seems like enough. While SHA1 may or may not be suitable > (my (and to be completely blunt, your) views don't really matter) -- there > are enough strong views on the strength / lifetime that we are likely to get > bogged down / splinter over this. If we were already deployed with SHA1 this > would be an important decision, but seeing as we're not, I think that > avoiding fight (and living to see another day) is best. > Once again, I'm not saying that I think that SHA1 is (or isn't) fine for > this, rather that, in order to get deployed, we should avoid the issue. > > #4 and #5 might be pandering, but if it doesn't decrease security, and > leads to sooner / more deployment it seems like a win.... > > Does anyone object to this (for any reasons other than "You're running away > from the fight, you coward!")? > Please speak soon, as we'd love to close this out.... > > <chair hat> > Please don't let this dissolve into a "algorithm X is better than Y, and Z > is a pile o' rubble" discussion -- while that may be true, this is not the > time or place to have it.... > </chair hat> > > W > > > On Feb 25, 2011, at 4:31 PM, Warren Kumari wrote: > > > Hi all, > > > > While we are all ruminating on the other issues, I figured we might as > well try address this one: > > > > Need to specify which crypto algorithms and certificate types are > mandatory to implement -- > http://trac.tools.ietf.org/wg/dane/trac/ticket/21 > > > > Description: > > Currently, the draft is silent on which crypto algorithms and certificate > types must be implemented for interoperability. It should be specific before > the document is finished. > > > > > > W > > _______________________________________________ > > keyassure mailing list > > keyassure@ietf.org > > https://www.ietf.org/mailman/listinfo/keyassure > > > > _______________________________________________ > keyassure mailing list > keyassure@ietf.org > https://www.ietf.org/mailman/listinfo/keyassure > -- Website: http://hallambaker.com/
- [keyassure] Opening issue #21: "Need to specify w… Warren Kumari
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Jakob Schlyter
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Martin Rex
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Martin Rex
- Re: [keyassure] Opening issue #21: "Need to speci… Martin Rex
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Martin Rex
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Stephen Farrell
- Re: [keyassure] Opening issue #21: "Need to speci… Nicholas Weaver
- Re: [keyassure] Opening issue #21: "Need to speci… Chris Palmer
- Re: [keyassure] Opening issue #21: "Need to speci… Stephen Farrell
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Nicholas Weaver
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Stephen Farrell
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Scott Schmit
- Re: [keyassure] Opening issue #21: "Need to speci… Stephen Farrell
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Warren Kumari
- Re: [keyassure] Opening issue #21: "Need to speci… Sean Turner
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Martin Rex
- [keyassure] crypto hash alg deprecation is a myth Martin Rex
- Re: [keyassure] crypto hash alg deprecation is a … Rob Stradling
- Re: [keyassure] crypto hash alg deprecation is a … Phillip Hallam-Baker
- Re: [keyassure] crypto hash alg deprecation is a … Andrew Sullivan
- Re: [keyassure] Opening issue #21: "Need to speci… Warren Kumari
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] crypto hash alg deprecation is a … Peter Gutmann
- Re: [keyassure] Opening issue #21: "Need to speci… Peter Gutmann
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Nicholas Weaver
- Re: [keyassure] Opening issue #21: "Need to speci… Yoav Nir
- Re: [keyassure] Opening issue #21: "Need to speci… Peter Gutmann
- Re: [keyassure] Opening issue #21: "Need to speci… Andrew Sullivan
- Re: [keyassure] Opening issue #21: "Need to speci… Martin Rex
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Peter Gutmann
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Andrew Sullivan
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… bmanning
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Murray S. Kucherawy
- Re: [keyassure] Opening issue #21: "Need to speci… Murray S. Kucherawy
- Re: [keyassure] Opening issue #21: "Need to speci… Ben Laurie
- Re: [keyassure] Opening issue #21: "Need to speci… Jakob Schlyter
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… George Barwood
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Jakob Schlyter
- Re: [keyassure] Opening issue #21: "Need to speci… Martin Rex
- Re: [keyassure] Opening issue #21: "Need to speci… Yoav Nir
- Re: [keyassure] Opening issue #21: "Need to speci… Chris Palmer
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Warren Kumari
- Re: [keyassure] Opening issue #21: "Need to speci… Chris Palmer
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Chris Palmer
- Re: [keyassure] Opening issue #21: "Need to speci… Peter Gutmann
- Re: [keyassure] Opening issue #21: "Need to speci… bmanning
- Re: [keyassure] Opening issue #21: "Need to speci… Brian Smith
- Re: [keyassure] Opening issue #21: "Need to speci… Jakob Schlyter
- Re: [keyassure] Opening issue #21: "Need to speci… Ben Laurie
- Re: [keyassure] Opening issue #21: "Need to speci… Rob Stradling
- Re: [keyassure] Opening issue #21: "Need to speci… George Barwood
- Re: [keyassure] Opening issue #21: "Need to speci… Sean Turner
- Re: [keyassure] Opening issue #21: "Need to speci… Nicholas Weaver
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Martin Rex
- Re: [keyassure] Opening issue #21: "Need to speci… bmanning
- Re: [keyassure] Opening issue #21: "Need to speci… bmanning
- Re: [keyassure] Opening issue #21: "Need to speci… Yoav Nir
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Chris Palmer
- Re: [keyassure] Opening issue #21: "Need to speci… Peter Gutmann
- Re: [keyassure] Opening issue #21: "Need to speci… Peter Gutmann
- Re: [keyassure] Opening issue #21: "Need to speci… Peter Gutmann
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Warren Kumari
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Warren Kumari
- Re: [keyassure] Opening issue #21: "Need to speci… Tony Hansen