Re: [dnsext] about ECDSA
Olafur Gudmundsson <ogud@ogud.com> Thu, 12 April 2012 13:17 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63BEF21F8606; Thu, 12 Apr 2012 06:17:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1334236672; bh=gCPkWAbbqjTH7FkeWdvstk2fF6sYWubm5BQXoYFRcQg=; h=Message-ID:Date:From:MIME-Version:To:References:In-Reply-To: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Transfer-Encoding:Content-Type:Sender; b=hMVU82zHdmFhc+LT4z9AzDGCPtQcclgbHilVXyUToe/u1lrtaV1lqBnvzOYnTzDQy cD6JOVLTHUgCHH47wv3QIKLDvHr+QoXY/b0f/dohj24WbAunVmi8FiLKszhqXmYrxo sx6VyvNVdFih0IbEJHFYpSljayU1tw7ojjs5U9Ks=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF62B21F8552 for <dnsext@ietfa.amsl.com>; Thu, 12 Apr 2012 06:17:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oOF4uMawOTJJ for <dnsext@ietfa.amsl.com>; Thu, 12 Apr 2012 06:17:49 -0700 (PDT)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by ietfa.amsl.com (Postfix) with ESMTP id 34CD021F8633 for <dnsext@ietf.org>; Thu, 12 Apr 2012 06:17:49 -0700 (PDT)
Received: from [IPv6:::1] (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id q3CDHlZw074537 for <dnsext@ietf.org>; Thu, 12 Apr 2012 09:17:47 -0400 (EDT) (envelope-from ogud@ogud.com)
Message-ID: <4F86D5FA.8070800@ogud.com>
Date: Thu, 12 Apr 2012 09:17:46 -0400
From: Olafur Gudmundsson <ogud@ogud.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: dnsext@ietf.org
References: <201204111057.q3BAvCSF044106@givry.fdupont.fr>
In-Reply-To: <201204111057.q3BAvCSF044106@givry.fdupont.fr>
X-Scanned-By: MIMEDefang 2.72 on 10.20.30.4
Subject: Re: [dnsext] about ECDSA
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
On 11/04/2012 06:57, Francis Dupont wrote: > In your previous mail you wrote: > >> On 04/06/2012 08:23 PM, Francis Dupont wrote: >> >>> - I still have a question about the 256/384 pair: are they >> >>> supposed to be handled as two different algos (as RSASHA1 and >> >>> RSASHA256, or RSASHA256 and RSASHA512) or as the same algo with >> >>> two different "strengths"? Note at the beginning (i.e., when I >> >>> asked this many months ago) it was only a concern for the >> >>> signer but according to a recent discussion it is concern for >> >>> resolvers too. >> >> The first not the latter, like RSASHA1 and RSASHA256, they are >> different algorithms. Use the same algorithm for your ZSK and KSK >> (but apply different policy). > > => note my question is really about the application of the word > "same" to ECDSAP256SHA256 / ECDSAP384SHA384 (a priori if they > have different code points and names they are not the "same", > now RSA has a degree of freedom which is not present in ECDSA). > >> >> They are different algorithms with different strengths, so your >> >> either/or question doesn't make sense. Similarly, each of the >> >> defined SHA-2 variants are also different algorithms and each has >> >> a different strength. >> > >> > => I'll rephrase the question: does it make sense to use >> > ECDSAP256SHA256 for ZSKs and ECDSAP384SHA384 for the KSK? >> >> No, that is dnssec-bogus. The ECDSAP384SHA384 for KSK but does not >> sign the zone is a signing-error. You must sign the entire zone with >> that algorithm, if you use it. The algorithm-support is signalled >> per-algorithm in DS and DNSKEY records, not for a range or suite of >> algorithms. > > => I agree but I want to be sure it is the intented thing. > If there is no opposed opinion in the list I follow you. > Think of the two ECDSA allocations as two DIFFERENT algorithms, if you elect to use KSK and ZSK split (which I do not think not always needed) ECDSA does not allow you the flexibility to pick strength for the various roles. Thus you pick the ECDSA algorithm that your KSK role needs/demands. Olafur _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- Re: [dnsext] about ECDSA Olafur Gudmundsson
- [dnsext] about ECDSA Francis Dupont
- Re: [dnsext] about ECDSA Paul Hoffman
- Re: [dnsext] about ECDSA Francis Dupont
- Re: [dnsext] about ECDSA W.C.A. Wijngaards
- Re: [dnsext] about ECDSA Wes Hardaker
- Re: [dnsext] about ECDSA Francis Dupont
- Re: [dnsext] about ECDSA Francis Dupont
- Re: [dnsext] about ECDSA Wes Hardaker
- Re: [dnsext] about ECDSA Michael StJohns