Re: [dnsext] about ECDSA
Francis Dupont <Francis.Dupont@fdupont.fr> Fri, 06 April 2012 18:23 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8A7E21F8601; Fri, 6 Apr 2012 11:23:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1333736633; bh=RdP3k3O7dupvCaUdvxCo4XfZELtZIuMJTJupFKxJ5do=; h=Message-Id:From:To:In-reply-to:Date:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: MIME-Version:Content-Type:Content-Transfer-Encoding:Sender; b=fVJPNVMAy5h4qhQjEiF9eBaKkyfOzbUgKYY8DRQQiuKuWXgIUYAHV6dFiGJc8VwhP EA4ZwUoncqyTNT1vltbRbpRjaQvipD3/yzKXIz0OrGplmQWZS+SJmqsKiycQDSL3JE y72XDcLUqxi6Fyu15XVyg7lFJX8VLAUS7Maj8doQ=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01C1B21F85E7 for <dnsext@ietfa.amsl.com>; Fri, 6 Apr 2012 11:23:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QWPFDxolRZW4 for <dnsext@ietfa.amsl.com>; Fri, 6 Apr 2012 11:23:51 -0700 (PDT)
Received: from givry.fdupont.fr (givry.fdupont.fr [IPv6:2001:41d0:1:6d55:211:5bff:fe98:d51e]) by ietfa.amsl.com (Postfix) with ESMTP id E950521F8499 for <dnsext@ietf.org>; Fri, 6 Apr 2012 11:23:50 -0700 (PDT)
Received: from givry.fdupont.fr (localhost [127.0.0.1]) by givry.fdupont.fr (8.14.3/8.14.3) with ESMTP id q36INnkS029691; Fri, 6 Apr 2012 20:23:49 +0200 (CEST) (envelope-from dupont@givry.fdupont.fr)
Message-Id: <201204061823.q36INnkS029691@givry.fdupont.fr>
From: Francis Dupont <Francis.Dupont@fdupont.fr>
To: Paul Hoffman <paul.hoffman@vpnc.org>
In-reply-to: Your message of Fri, 06 Apr 2012 08:20:57 PDT. <F7011CF9-0678-4F30-986C-D7A0637D2652@vpnc.org>
Date: Fri, 06 Apr 2012 20:23:49 +0200
Cc: dnsext@ietf.org
Subject: Re: [dnsext] about ECDSA
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
In your previous mail you wrote: > > - my Fedora 16 compiles OpenSSL with no Elliptic Curve support (and > > of course no ECDSA). If someone wants to put some pressure to get > > this fixed, I'll join! > > This is a compile-time option for OpenSSL. => in fact a configure-time option: after this unexpected (:-) test of the ECDSA support detection, I looked at the .spec file: OpenSSL was configured with 'no-ec no-ecdh no-ecdsa'... > If the version of OpenSSL that comes with Fedora 16 doesn't have the > option, you can download a fresh version of OpenSSL and build it > locally. => I did this and took the opportunity to try the new 1.0.1 version. > > - I still have a question about the 256/384 pair: are they > > supposed to be handled as two different algos (as RSASHA1 and > > RSASHA256, or RSASHA256 and RSASHA512) or as the same algo > > with two different "strengths"? Note at the beginning (i.e., > > when I asked this many months ago) it was only a concern for > > the signer but according to a recent discussion it is concern > > for resolvers too. > > They are different algorithms with different strengths, so your > either/or question doesn't make sense. Similarly, each of the defined > SHA-2 variants are also different algorithms and each has a different > strength. => I'll rephrase the question: does it make sense to use ECDSAP256SHA256 for ZSKs and ECDSAP384SHA384 for the KSK? > > PS: I am not the right person to ask for ECDSA support in > > the next distribs (I don't say you shouldn't ask). => oops, I should have added "bind9" here. Thanks Francis.Dupont@fdupont.fr _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- Re: [dnsext] about ECDSA Olafur Gudmundsson
- [dnsext] about ECDSA Francis Dupont
- Re: [dnsext] about ECDSA Paul Hoffman
- Re: [dnsext] about ECDSA Francis Dupont
- Re: [dnsext] about ECDSA W.C.A. Wijngaards
- Re: [dnsext] about ECDSA Wes Hardaker
- Re: [dnsext] about ECDSA Francis Dupont
- Re: [dnsext] about ECDSA Francis Dupont
- Re: [dnsext] about ECDSA Wes Hardaker
- Re: [dnsext] about ECDSA Michael StJohns