IETF Logo Mail Archive

Re: [dnsext] Adopting draft: draft-hoffman-dnssec-ecdsa-04.txt

Phillip Hallam-Baker <hallam@gmail.com> Fri, 07 January 2011 14:30 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 53F983A68D8; Fri, 7 Jan 2011 06:30:53 -0800 (PST)
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 783A23A68D8 for <dnsext@core3.amsl.com>; Fri, 7 Jan 2011 06:30:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.889
X-Spam-Level:
X-Spam-Status: No, score=-2.889 tagged_above=-999 required=5 tests=[AWL=-0.290, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3IeDa4jxc7Ap for <dnsext@core3.amsl.com>; Fri, 7 Jan 2011 06:30:50 -0800 (PST)
Received: from mail-yi0-f44.google.com (mail-yi0-f44.google.com [209.85.218.44]) by core3.amsl.com (Postfix) with ESMTP id DB9833A68BE for <dnsext@ietf.org>; Fri, 7 Jan 2011 06:30:49 -0800 (PST)
Received: by yie19 with SMTP id 19so5352537yie.31 for <dnsext@ietf.org>; Fri, 07 Jan 2011 06:32:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=bVTEe0Wud6yeNedB0T4zslRMjkiHWemFR8VFo1bw8II=; b=UQo0Tikqdqfmj8/IbYRqwNNSiXORH6uriYwE9Po5yYSnKHG4+xJ6/JxsoLr8Z9LBF3 P1ZAFjbtZ5Fa10aYW/ysR7+PoPtcC+uLCSxBeX6VLUn7dhIhXH9PeabUWDeIfdUPkBKP 6okEmmJJNUPJsbOqWvzm3/LeU3XUO+q+4CHD0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=cl9FG4GesSpb2y8v8zmtJHqgUJ+lYrBnsWPW+dxfC7M52CIXsATI9exUf9x8sDzYbF Jo8jWRotK9QvYQ3u3DGIjmuFR+aJD6bXRgDS3L22z/j/OpuqGN5Xk5G3cA7/bhA1cAUu I4citZs8cKDrVRtwkebnYXn7ulxUpIK3I0JYI=
MIME-Version: 1.0
Received: by 10.100.93.6 with SMTP id q6mr3124415anb.69.1294410776267; Fri, 07 Jan 2011 06:32:56 -0800 (PST)
Received: by 10.100.31.8 with HTTP; Fri, 7 Jan 2011 06:32:56 -0800 (PST)
In-Reply-To: <Prayer.1.3.3.1101051839410.18449@hermes-2.csi.cam.ac.uk>
References: <4D014A84.5070204@ogud.com> <4D2390DE.8050409@ogud.com> <4D23A061.3060501@vpnc.org> <4D248950.3040208@ogud.com> <4D248A72.5010404@vpnc.org> <a06240801c94a3ed54f9e@10.31.200.116> <Prayer.1.3.3.1101051839410.18449@hermes-2.csi.cam.ac.uk>
Date: Fri, 07 Jan 2011 09:32:56 -0500
Message-ID: <AANLkTimnz9CBDbjXc0V2=zdM6PZnSs4_+ZaEL8CCVbXk@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: cet1@cam.ac.uk
Cc: Edward Lewis <Ed.Lewis@neustar.biz>, Paul Hoffman <paul.hoffman@vpnc.org>, dnsext@ietf.org
Subject: Re: [dnsext] Adopting draft: draft-hoffman-dnssec-ecdsa-04.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

Rather than using the term 'strength' I suggest we use the term 'work factor'.

The term strength tends to be interpreted relative to the algorithm
concerned, 'what strength RSA key', it is not really defined as an
absolute measure.


Work factor using known best attack is much better defined. Although
there is always going to be a degree of slop since many attacks have
memory/CPu tradeoffs.


But all this is really outside the parameters of what DNSEXT should
have to concern itself with. What matters most in choice of
cryptographic algorithm is consistency. The attacker only needs to
break the weakest link in the chain. So if we have SHA3 in the DNSSEC
layer and MD5 in the S/MIME we are still vulnerable.


I would like to propose we change the model here. The IETF should get
out of the business for issuing DNSSEC code points for any algorithm
other than those which are mandatory to implement.

Mandatory to implement algorithms should be specified in RFCs that
apply to a collection of protocols. Working Groups would be free to
decide whether to specify their own algorithms or use the common
mandatory set. The advantage of using a common mandatory set being
that they would be subject to ongoing maintenance and revision.

So an implementation that offered DNSSEC with the 2012 crypto set
might specify RFC4043 + RFC 7xxx compliance.


All non-mandatory crypto would use ASN.1 OIDs to declare the algorithm
type. In the case of DNSSEC this would require an approach similar to
the one that the OID based CERT type uses. There would be a code point
reserved for identifying the algorithm by ASN.1 oid and a defined
mechanism for squeezing in the OID as a prefix to the crypto material.


Some people are going to complain about the lack of control here. But
that is worrying about the wrong problem. The only problems we should
be concerned with are interoperability and endorsement.

The only interoperability concern should be that applications that
support a common algorithm be able to use it to communicate. That
means that they all use the same code points to identify the same
algorithm. It is not a big concern to me as people who use non
standard crypto should know what to expect. It is their funeral, we
should not try to stop them attending.

The much bigger concern for me is endorsement. The problem with having
the IETF control the registry is that making an entry into the
registry implies an endorsement. Like it or not, the IETF has
effectively endorsed the use of GOST, a Soviet era crypto algorithm
that is being promoted for specific political reasons that I believe
to be contrary to the principles of an open Internet.

The fact that the OID registry is open and has no gating factor is a
good thing. No gate means no endorsement. If we had used ASN.1 OIDs to
identify algorithms there would be no RFC 5933, there would be no
mention of GOST in RFCs at all unless there was a decision to adopt it
as a mandatory to implement algorithm (which the GRU would not want in
any case since their whole purpose requires use of a different
algorithm).


On Wed, Jan 5, 2011 at 1:39 PM, Chris Thompson <cet1@cam.ac.uk> wrote:
> On Jan 5 2011, Edward Lewis wrote:
>
>> I'd like to see this stated in DNS terms - i.e., the notion of strength is
>> not one of them.
>>
>> I would suggest that
>>
>>  - the authoritative set of the DS record SHOULD include a DS RR for each
>> key that is of the same hash algorithm as is used in the key and MAY have
>> other hashes (and MAY even have only other hashes[1])
>>
>> [1] The parenthetical comment is redundant, put it there for emphasis.
>>
>>  - a validator SHOULD prefer the DS record of the same hash algorithm over
>> other hash algorithms for a key.
>
> You mean that a validator should prefer a digest type 1 (SHA-1) DS over
> a type 2 (SHA-256) DS if the key to be validated uses algorithm RSASHA1?
> This directly contradicts the SHOULD in RFC 4509 section 3, and also
> doesn't seem too sensible to me.
>
>>                                      Prefer means that it SHOULD be the
>> first tried and if it fails, the validator MAY declare failure without
>> examining the other applicable hash algorithms.  A validator MUST NOT
>> require that there be a hash of the same algorithm present, with require
>> meaning - if such a hash is absent, failure is not automatic.
>>
>> You may note that I spec "the same hash algorithm" because I don't know of
>> any way to say if one hash algorithm is stronger than the next.  I.e., bit
>> length might be an indicator but I bet it also isn't reliable.
>
> It's perfectly possible for an implementor, or an operator, to have
> opinions about this, though.
>
> --
> Chris Thompson               University of Cambridge Computing Service,
> Email: cet1@ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
> Phone: +44 1223 334715       United Kingdom.
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext
>



-- 
Website: http://hallambaker.com/
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email