Re: [dnsext] about ECDSA
Paul Hoffman <paul.hoffman@vpnc.org> Fri, 06 April 2012 15:21 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8870221F8570; Fri, 6 Apr 2012 08:21:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1333725673; bh=8L360aSNCRaKATfkCIwF4HDAf/br8ocvFdM7PIvUKck=; h=Mime-Version:From:In-Reply-To:Date:Message-Id:References:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=DDd1Cpk6+bQ1woC5vGiVsYOlNFpPqB/ZV3I2M38uaCdl184OYaakIUhbdVuwnlKoV Og9VTNDPOmJaGvXRFgGgqTg77A+U3ZBDlOJEusjVEWtA8V8li2oahK6t6LZNbqOkgX W097+sPMItEOtN6FpcJAwtZTAno99CzEl+9y0kMI=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08AE821F857F for <dnsext@ietfa.amsl.com>; Fri, 6 Apr 2012 08:21:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.5
X-Spam-Level:
X-Spam-Status: No, score=-102.5 tagged_above=-999 required=5 tests=[AWL=0.099, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yoKgmiIc3QxL for <dnsext@ietfa.amsl.com>; Fri, 6 Apr 2012 08:21:06 -0700 (PDT)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id BB79A21F8570 for <dnsext@ietf.org>; Fri, 6 Apr 2012 08:21:06 -0700 (PDT)
Received: from [10.20.30.101] (50-0-66-4.dsl.dynamic.fusionbroadband.com [50.0.66.4]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.3) with ESMTP id q36FKuEn044698 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 6 Apr 2012 08:20:57 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0 (Apple Message framework v1257)
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <201204061509.q36F9g1l017556@givry.fdupont.fr>
Date: Fri, 06 Apr 2012 08:20:57 -0700
Message-Id: <F7011CF9-0678-4F30-986C-D7A0637D2652@vpnc.org>
References: <201204061509.q36F9g1l017556@givry.fdupont.fr>
To: Francis Dupont <francis.dupont@fdupont.fr>
X-Mailer: Apple Mail (2.1257)
Cc: dnsext@ietf.org
Subject: Re: [dnsext] about ECDSA
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
On Apr 6, 2012, at 8:09 AM, Francis Dupont wrote: > - my Fedora 16 compiles OpenSSL with no Elliptic Curve support (and > of course no ECDSA). If someone wants to put some pressure to get > this fixed, I'll join! This is a compile-time option for OpenSSL. If the version of OpenSSL that comes with Fedora 16 doesn't have the option, you can download a fresh version of OpenSSL and build it locally. > - in http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xml > SHA-384 is OPTIONAL. I believed the idea was to use it with the new > ECDSA keys, so this will have to be fixed in the long term. BTW how? Recycling of political discussion; deferred. > - I still have a question about the 256/384 pair: are they > supposed to be handled as two different algos (as RSASHA1 and > RSASHA256, or RSASHA256 and RSASHA512) or as the same algo > with two different "strengths"? Note at the beginning (i.e., > when I asked this many months ago) it was only a concern for > the signer but according to a recent discussion it is concern > for resolvers too. They are different algorithms with different strengths, so your either/or question doesn't make sense. Similarly, each of the defined SHA-2 variants are also different algorithms and each has a different strength. > - I have the performance figures with the last OpenSSL (1.0.1) > and its new assembly support (aka enable-ec_nistp_64_gcc_128), > unfortunately not available for P384 (can't see why)? > ECDSA is really faster on signing and the verifying is still > reasonable, so Paul's prediction about EC support quality > was correct. Good to hear. > PS: I am not the right person to ask for ECDSA support in > the next distribs (I don't say you shouldn't ask). Diddling with OpenSSL in the various Linux distros may not be such a good idea... > PPS: it should be good to get the examples with a date in > the future. Too late. :-) --Paul Hoffman _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- Re: [dnsext] about ECDSA Olafur Gudmundsson
- [dnsext] about ECDSA Francis Dupont
- Re: [dnsext] about ECDSA Paul Hoffman
- Re: [dnsext] about ECDSA Francis Dupont
- Re: [dnsext] about ECDSA W.C.A. Wijngaards
- Re: [dnsext] about ECDSA Wes Hardaker
- Re: [dnsext] about ECDSA Francis Dupont
- Re: [dnsext] about ECDSA Francis Dupont
- Re: [dnsext] about ECDSA Wes Hardaker
- Re: [dnsext] about ECDSA Michael StJohns