Re: [secdir] review of draft-ietf-dnsext-dnssec-gost-05

I agree as well.

-Ekr

At Fri, 08 Jan 2010 11:35:28 -0500,
Uri Blumenthal wrote:
> 
> I am in full agreement with the arguments Paul and Steve have made.
> 
> Keep GOST as MAY.
> 
> Quoting Paul Hoffman <phoffman@imc.org>:
> > To take it one step further: a signing algorithm that is easily 
> > broken opens up a new attack vector. Imagine that all DNSSEC "client" 
> > implementations (resolvers) need to support two algorithms, A and B. 
> > If A and B are of actual equal strength, an attacker has an equal 
> > problem. However, if B is found to have weaknesses that allows an 
> > attacker to forge signatures, that attacker then can create a bogus 
> > chain to a trust anchor using B in the entire path.
> >
> > It is for this reason that DNSSEC does not, for example, require that 
> > resolvers MUST be able to validate RSA signatures with 256-bit keys. 
> > However, by saying that resolvers MUST be able to validate anything 
> > other than the widely-agreed-to algorithms, you are opening up such 
> > an attack.
> >
> > GOST signatures use a hash algorithm that has a known academic 
> > attack. Thus, even if the GOST asymmetric encryption algorithm is as 
> > strong as RSA with the size of keys that people are using, the 
> > overall signing algorithm may be weaker. This is *not* an argument 
> > that Russia should not use GOST: they have made their own security 
> > decisions based on the same knowledge that we have (and possibly 
> > more). It is, however, an argument against making everyone else be 
> > able to verify GOST signatures as if they were equivalent to other 
> > mandatory-to-implement signature algorithms.
> > _______________________________________________
> > secdir mailing list
> > secdir@ietf.org
> > https://www.ietf.org/mailman/listinfo/secdir
> >
> 
> 
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir