IETF Logo Mail Archive

Re: [dnsext] Adopting draft: draft-hoffman-dnssec-ecdsa-04.txt

Paul Hoffman <paul.hoffman@vpnc.org> Wed, 05 January 2011 18:54 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 189DD3A6C69; Wed, 5 Jan 2011 10:54:20 -0800 (PST)
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 251773A6C78 for <dnsext@core3.amsl.com>; Wed, 5 Jan 2011 10:54:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.656
X-Spam-Level:
X-Spam-Status: No, score=-101.656 tagged_above=-999 required=5 tests=[AWL=0.390, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K-SJ+4LMY3oV for <dnsext@core3.amsl.com>; Wed, 5 Jan 2011 10:54:17 -0800 (PST)
Received: from hoffman.proper.com (Hoffman.Proper.COM [207.182.41.81]) by core3.amsl.com (Postfix) with ESMTP id 6A3083A6BE9 for <dnsext@ietf.org>; Wed, 5 Jan 2011 10:54:17 -0800 (PST)
Received: from MacBook-08.local (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p05IuNII032813 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for <dnsext@ietf.org>; Wed, 5 Jan 2011 11:56:24 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Message-ID: <4D24BED7.1060007@vpnc.org>
Date: Wed, 05 Jan 2011 10:56:23 -0800
From: Paul Hoffman <paul.hoffman@vpnc.org>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
To: dnsext@ietf.org
References: <4D014A84.5070204@ogud.com> <4D2390DE.8050409@ogud.com> <4D23A061.3060501@vpnc.org> <4D248950.3040208@ogud.com> <4D248A72.5010404@vpnc.org> <a06240801c94a3ed54f9e@[10.31.200.116]> <Prayer.1.3.3.1101051839410.18449@hermes-2.csi.cam.ac.uk>
In-Reply-To: <Prayer.1.3.3.1101051839410.18449@hermes-2.csi.cam.ac.uk>
Subject: Re: [dnsext] Adopting draft: draft-hoffman-dnssec-ecdsa-04.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On 1/5/11 10:39 AM, Chris Thompson wrote:
> On Jan 5 2011, Edward Lewis wrote:
>
>> I'd like to see this stated in DNS terms - i.e., the notion of
>> strength is not one of them.
>>
>> I would suggest that
>>
>> - the authoritative set of the DS record SHOULD include a DS RR for
>> each key that is of the same hash algorithm as is used in the key and
>> MAY have other hashes (and MAY even have only other hashes[1])
>>
>> [1] The parenthetical comment is redundant, put it there for emphasis.
>>
>> - a validator SHOULD prefer the DS record of the same hash algorithm
>> over other hash algorithms for a key.
>
> You mean that a validator should prefer a digest type 1 (SHA-1) DS over
> a type 2 (SHA-256) DS if the key to be validated uses algorithm RSASHA1?
> This directly contradicts the SHOULD in RFC 4509 section 3, and also
> doesn't seem too sensible to me.

Thank you, Chris. I knew that someone had said something about strengths 
in an RFC, but I could not remember where. You nailed it.

That's not to say that we should have equivalent wording in this 
document, just that the "cannot say anything about strength" is a new 
requirement that is not met by earlier standards-track documents from 
this WG.
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email