This is a multi-part message in MIME format.

------=_NextPart_000_0038_01C651B2.6B7D9A60
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

Ben Laurie asks

>> The two reason I'm exploring ECC are the size issue, and to have an
>> better answer next time someone ask why are you not using ECC.


>If size is the problem, what's wrong with DSA?


Until recently the fact that the key size was limited to 512 bits and the
hash function to 160 bits.

NIST recently approved a new version that allows a 2048 bit key size and 256
bit (or 224 bit) subgroup. This means the keys are 256 bytes, the signatures
are 64 bytes.

This is not quite as good as the best ECC scheme but we can deploy this
today and without the patent hassle that ECC would involve.

I propose the folowing:

1) Drop DSA-SHA1 from the spec, it is obsolete.
2) Add DSA-2048-SHA256 as a MUST
3) Relegate the RSA algorithm to SHOULD


Time is getting short if DNSSEC is going to meet the next window of
opportunity for deployment. That is going to come with the deployment of
DKIM. If you want to deploy a security infrastructure you have to meet a
security requirement. The biggest deployment problem today is the fact that
DNS is perceived to work too well to justify the cost of DNSSEC.

The other picture change that has to occur here is the mistaken belief that
the protocol must be perfectly secure on day one. Emprically it is much
easier to upgrade a deployed infrastructure than to start deployment. The
opposition to OPT-IN and anti-zone walking technologies is entirely
misguided as is the entire thread on the level of security actually
provided.

DNSSEC is never going to be the last line of security defense. The DNS is a
signaling infrastructure, it is not a discovery infrastructure and its
naming capabilities are limited. The user should not expect 'ibm.com' to
resolve to the IBM that they are most familiar with, all they can expect is
that it will resolve consistently (over certain time intervals).

What we need from DNSSEC is a good layer of security to protect the
signaling layer infrastructure against attack and to allow the signaling
layer to be leveraged by application level security solutions such as
SenderID and DKIM. It does not have to be perfect for all purposes to do
this.


People seem to have a 'single break' security model. This is not appropriate
to analysis of DNSSEC except with respect to zone signing keys for large,
valuable domains. I would not be at all worried about deploying based on
DSA-SHA1 causing problems within the next 5 years. The only reason I
strongly urge a change now is that this fix is much easier to do now and has
zero impact on the architecture (its just drop in of a new algorithm). It
is going to be easier to SELL DNSSEC if the key strength matches
expectations.

WHEN security flaws are discovered in DNSSEC we will fix them. There have
been flaws in every crypto implementation successfully deployed to date -
SSL, WEP, PGP, SSH ... The only protocols that have escaped flaw discovery
are the ones nobody ever used. Despite these well known flaws I am not aware
of a single case where one has been exploited for criminal purposes. Even
flawed crypto is not the weakest link in the system.

What we cannot fix is a protocol that does not meet the deployment
constraints in the field.

------=_NextPart_000_0038_01C651B2.6B7D9A60
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCS qGSIb3DQEHAQAAoIIUBDCCAoAw
ggHpoAMCAQICEQCyNFw02+JxK/SJPVrL0W7rMA0GCSqGSIb3DQEBBAUAMFExCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEWMBQGA1UECxMNQ2 9ycG9yYXRlIElTRzERMA8GA1UE
AxMISVBTZWMgQ0EwHhcNOTkxMDIxMDAwMDAwWhcNMDkxMDIxMj M1OTU5WjBRMQswCQYDVQQGEwJV
UzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xFjAUBgNVBAsTDU NvcnBvcmF0ZSBJU0cxETAPBgNV
BAMTCElQU2VjIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ KBgQC8hbpukYQ9ZzsnCGcBfV9V
0S6dL6DmQTly99jiGKylKnrR6r+9IYn3p7paKD4hc5q7CuXwvk KGYKYewqmjjEE3ncwEt+Lb7d6T
Rzw9q1Lktnerh+ZLZmmg66hqoJ0gvEufbhSZcaFfd+GOAwcc4g i9gms0QxRxT5iSt0GoqFaSRQID
AQABo1gwVjAjBgNVHREEHDAapBgwFjEUMBIGA1UEAxMLT25zaX RlMi0xNDUwEQYJYIZIAYb4QgEB
BAQDAgEGMA8GA1UdEwQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMA 0GCSqGSIb3DQEBBAUAA4GBAHid
MZBUanCQ/uLOqKJkBYzqExOzrWw7hThsnrwLdkJMFIToG6zQCXF1kDhD5Dk vs62P/oDQaTz0THy7
D7L8pVmH5aXDIUQ6+0IiE5WTF8W1wy7sxXtRVtjaA5K0Ks3H/jYOTCcONZ23RKW+yzMWAUKI5neh
leC1aZpra1xeCQv4MIIC6jCCAlOgAwIBAgIQbsSmTwagoePcKL XY2aPQwDANBgkqhkiG9w0BAQQF
ADBRMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIE luYy4xFjAUBgNVBAsTDUNvcnBv
cmF0ZSBJU0cxETAPBgNVBAMTCElQU2VjIENBMB4XDTA2MDExMT AwMDAwMFoXDTA3MDExMTIzNTk1
OVoweDEXMBUGA1UEChQOVmVyaVNpZ24sIEluYy4xGzAZBgNVBA sUElJlbW90ZSBBY2Nlc3MgVXNl
cjEcMBoGA1UEAxMTUGhpbGlwIEhhbGxhbS1CYWtlcjEiMCAGCS qGSIb3DQEJARYTcGJha2VyQHZl
cmlzaWduLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgY EAzxhnkx3bovN4ayxbfh7jSdUX
Zwu9vXe0jbEPJf6qQL1picRE3Z6Uf3WTCrIXtxq0fA3l1unByt 3Ej2N4oqLPb+oUAWK8P+pHoom1
huJpEcKayU9aj+C5tj6/dytjRTvKmJTY2YK/gc8VKcCxIkk/W/YuScRFIlx5B5c5l/JlKVsCAwEA
AaOBmzCBmDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDARBglghk gBhvhCAQEEBAMCB4AwWAYDVR0f
BFEwTzBNoEugSYZHaHR0cDovL29uc2l0ZWNybC52ZXJpc2lnbi 5jb20vVmVyaVNpZ25JbmNSZW1v
dGVBY2Nlc3NVc2VyL0xhdGVzdENSTC5jcmwwEQYKYIZIAYb4RQ EGCQQDAQH/MA0GCSqGSIb3DQEB
BAUAA4GBAEbtIeGVxE1YBPgVjOy17U8r2oyX7XBSC7XmFPcZ3j VYivlHVGzBQIenSqo7xS9TxHDY
rCxxTcMtx3j/knFVqpcQMGH38Aem+IuwQJAcCnTtnu8bP/IFnDh5+vnvPXF36ZI+qC9TUFttBPrF
Bpc9CkvSPesoZKSfngGidzJUUK0LMIIDAzCCAmwCEQC5L2DMiJ +hekYJuFtwbIqvMA0GCSqGSIb3
DQEBBQUAMIHBMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaV NpZ24sIEluYy4xPDA6BgNVBAsT
M0NsYXNzIDIgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbi BBdXRob3JpdHkgLSBHMjE6MDgG
A1UECxMxKGMpIDE5OTggVmVyaVNpZ24sIEluYy4gLSBGb3IgYX V0aG9yaXplZCB1c2Ugb25seTEf
MB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazAeFw05OD A1MTgwMDAwMDBaFw0yODA4MDEy
MzU5NTlaMIHBMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaV NpZ24sIEluYy4xPDA6BgNVBAsT
M0NsYXNzIDIgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbi BBdXRob3JpdHkgLSBHMjE6MDgG
A1UECxMxKGMpIDE5OTggVmVyaVNpZ24sIEluYy4gLSBGb3IgYX V0aG9yaXplZCB1c2Ugb25seTEf
MB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazCBnzANBg kqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAp4gBIXQs5xoD8JjhlzwPIQjxnNuX6Zr8wgQGE75fUsjMHi wSViy4AWkszJkfrbCWrnkE8hM5
wXuYuggs6MKEEyyqaekJ9MepAqRCwiNPStjwDqL7MWzJ5m+ZJw f15vRMeJ5t60aG+rmGyVTyssSv
1EYcWskVMP8NbPUtDm3Of3cCAwEAATANBgkqhkiG9w0BAQUFAA OBgQByLvl/0fFx+8Se9sVeUYpA
mLho+Jscg9jinb3/7aHmZuovCfTK1+qlK5X2JGCGTUQug6XELaDTrnhpb3LabK4I8G OSN+a7xDAX
rXfMSTWqz9iP0b63GJZHc2pUIjRkLbYWm1lbtFFZOrMLFPQS32 eg9K0yZF6xRnInjBJ7xUS0rjCC
A6YwggMPoAMCAQICEHWNgosXAgaqes2nmr0jsCgwDQYJKoZIhv cNAQEFBQAwgcExCzAJBgNVBAYT
AlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECx MzQ2xhc3MgMiBQdWJsaWMgUHJp
bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOA YDVQQLEzEoYykgMTk5OCBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR 8wHQYDVQQLExZWZXJpU2lnbiBU
cnVzdCBOZXR3b3JrMB4XDTk5MDIyNTAwMDAwMFoXDTA5MDIyND IzNTk1OVowga0xFzAVBgNVBAoT
DlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcn VzdCBOZXR3b3JrMUkwRwYDVQQL
E0BVc2UgaXMgc3ViamVjdCB0byB0ZXJtcyBhdCBodHRwczovL3 d3dy52ZXJpc2lnbi5jb20vcnBh
LWtyIChjKTk5MSYwJAYDVQQDEx1WZXJpU2lnbiBDbGFzcyAyIF BlcnNvbm5lbCBDQTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEApwRsD6Jyt0oGLvjXKSw0nY K8SJFKx6z56fy5WXixVcBTWLHP
bxY7wUnVy/RuzOHMy7XHLk6IqjTpttBbfD4VVzThGLz/3fWvZ1kgCuU96oiKQNKaiRMpqbbV26d+
4ec3JJP9lHRNeuQybUzoXBaXr92S2WaKFGbk6loDqD1f+wsCAw EAAaOBsDCBrTARBglghkgBhvhC
AQEEBAMCAQYwDwYDVR0TBAgwBgEB/wIBATALBgNVHQ8EBAMCAQYwRAYDVR0gBD0wOzA5BgtghkgB
hvhFAQcXAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZX Jpc2lnbi5jb20vcnBhMDQGA1Ud
HwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3 BjYTItZzIuY3JsMA0GCSqGSIb3
DQEBBQUAA4GBAFJetpXbb3ymfgX2VIU72RqKRVlffMJl7vlA3l Rux5ASgCQ8QKNj7IUf9R4bico9
juNLLt+cG+6O51S5VpP+29HERPjLnECdkqzFzgTxEUbsiLyYyI whfTeczGu9NKWTjL2cOR3qp5wa
zfVHbSxzE2NqIS5afYd9vEy+8scDwoy2MIIDwDCCAymgAwIBAg IQSsgAA2Nh1BUDFvGGNpu3zTAN
BgkqhkiG9w0BAQUFADCBrTEXMBUGA1UEChMOVmVyaVNpZ24sIE luYy4xHzAdBgNVBAsTFlZlcmlT
aWduIFRydXN0IE5ldHdvcmsxSTBHBgNVBAsTQFVzZSBpcyBzdW JqZWN0IHRvIHRlcm1zIGF0IGh0
dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEta3IgKGMpOTkxJj AkBgNVBAMTHVZlcmlTaWduIENs
YXNzIDIgUGVyc29ubmVsIENBMB4XDTk5MDIyNTAwMDAwMFoXDT A5MDIyMzIzNTk1OVowgawxFzAV
BgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2 lnbiBUcnVzdCBOZXR3b3JrMUkw
RwYDVQQLE0BVc2UgaXMgc3ViamVjdCB0byB0ZXJtcyBhdCBodH RwczovL3d3dy52ZXJpc2lnbi5j
b20vcnBhLWtyIChjKTk5MSUwIwYDVQQDExxWZXJpU2lnbiBDbG FzcyAyIEVtcGxveWVlIENBMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAitGHYaLqMANVaw g28Jf6GlQ1JB/ofZ3Iw3PT2Eb1
kS3ZOO2U17Amcyrel1BN/yIcvXAAmAxYKrGkco+lufctfGDjtd/pfU4hIWHV/DtUyaQJnLsi+aK6
cGFPhkai/QVk7Ao/plh2V7sWc0R88KUNl8BspvFjCCWxBBeVoI3+fwIDAQABo4HfMI HcMCkGA1Ud
EQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwxLTExOD ARBglghkgBhvhCAQEEBAMCAQYw
DwYDVR0TBAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwRAYDVR0gBD0wOzA5BgtghkgBhvh FAQcXAjAq
MCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb2 0vcnBhMDgGA1UdHwQxMC8wLaAr
oCmGJ2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL1ZTQ2xhc3MySW 50LmNybDANBgkqhkiG9w0BAQUF
AAOBgQA2GP0zYNYX0wS12FRfUhrlkggo9KJA2sNbjBqGl++uoh X+bMTOL8gByjO+8nlYM5eXkkVw
Wk4oHd33wYhOG4dXAj2TJdl+TnI1iUkXs7l3L20O+aSIJcHOdn NlaQWTd+f9k5YYOE1YbHqd6NKb
6NDbif1JwnUEA5el1JaB2CNB8DCCBBkwggOCoAMCAQICEF052q AxsWldLlk3EVCNpLEwDQYJKoZI
hvcNAQEEBQAwgawxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR 8wHQYDVQQLExZWZXJpU2lnbiBU
cnVzdCBOZXR3b3JrMUkwRwYDVQQLE0BVc2UgaXMgc3ViamVjdC B0byB0ZXJtcyBhdCBodHRwczov
L3d3dy52ZXJpc2lnbi5jb20vcnBhLWtyIChjKTk5MSUwIwYDVQ QDExxWZXJpU2lnbiBDbGFzcyAy
IEVtcGxveWVlIENBMB4XDTA1MDgxMDAwMDAwMFoXDTA2MDgxMD IzNTk1OVowbTERMA8GA1UEChMI
VkVSSVNJR04xCzAJBgNVBAsTAkhRMRMwEQYDVQQDEwpSZWNpcG llbnRzMTYwNAYDVQQDEy1wYmFr
ZXIgKEhhbGxhbS1CYWtlciBQaGlsbGlwLCBWZXJpU2lnbiwgSW 5jLikwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBANQT8A2wsm52VpfNoc/FbBi07LKq8Q8ztSvZkocF+JRtdAbMtHn3PnO/UGqF
Q1Td0has2t+XiV2xVax+/qEuAat5b20pRHj32whM/XcmMco7CHFH+TseTwChwJGt9fAVKjAGWRJq
di8EISDmrRmxO3vbtIKNtzL10YHha+MRpPMbAgMBAAGjggF4MI IBdDAJBgNVHRMEAjAAMFkGA1Ud
HwRSMFAwTqBMoEqGSGh0dHA6Ly9vbnNpdGVjcmwudmVyaXNpZ2 4uY29tL1ZlcmlTaWduSW5jRXhj
aGFuZ2VFbXBsb3llZXMvTGF0ZXN0Q1JMLmNybDALBgNVHQ8EBA MCBaAwHgYDVR0RBBcwFYETcGJh
a2VyQHZlcmlzaWduLmNvbTCBrAYDVR0gBIGkMIGhMIGeBgtghk gBhvhFAQcBATCBjjAoBggrBgEF
BQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzBiBg grBgEFBQcCAjBWMBUWDlZlcmlT
aWduLCBJbmMuMAMCAQEaPVZlcmlTaWduJ3MgQ1BTIGluY29ycC 4gYnkgcmVmZXJlbmNlIGxpYWIu
IGx0ZC4gKGMpOTcgVmVyaVNpZ24wEQYJYIZIAYb4QgEBBAQDAg eAMB0GA1UdJQQWMBQGCCsGAQUF
BwMEBggrBgEFBQcDAjANBgkqhkiG9w0BAQQFAAOBgQCrTQbYFs Byl4BpUeoDHIAeqhBlPPPG/NcU
uz0Edr7Eyv729E53LMbjHB8IUfHp4fN7fKD+NwS6uPMszKuczA hXMfG/YmBm/aod+VebYCw4TODA
HE8c2E8AboGqFq6XVIRXjTvIFG6hZi4z4I9PN/emwSjlMe73wBeyBctUJ7O3YDGCAyAwggMcAgEB
MIHBMIGsMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1 UECxMWVmVyaVNpZ24gVHJ1c3Qg
TmV0d29yazFJMEcGA1UECxNAVXNlIGlzIHN1YmplY3QgdG8gdG VybXMgYXQgaHR0cHM6Ly93d3cu
dmVyaXNpZ24uY29tL3JwYS1rciAoYyk5OTElMCMGA1UEAxMcVm VyaVNpZ24gQ2xhc3MgMiBFbXBs
b3llZSBDQQIQXTnaoDGxaV0uWTcRUI2ksTAJBgUrDgMCGgUAoI IBtDAYBgkqhkiG9w0BCQMxCwYJ
KoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNjAzMjcyMDIzMz daMCMGCSqGSIb3DQEJBDEWBBRa
gkKifzmPCAPI3ywAD6zphPeGRDBnBgkqhkiG9w0BCQ8xWjBYMA oGCCqGSIb3DQMHMAcGBSsOAwIa
MA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDg MCBzANBggqhkiG9w0DAgIBKDAK
BggqhkiG9w0CBTB0BgkrBgEEAYI3EAQxZzBlMFExCzAJBgNVBA YTAlVTMRcwFQYDVQQKEw5WZXJp
U2lnbiwgSW5jLjEWMBQGA1UECxMNQ29ycG9yYXRlIElTRzERMA 8GA1UEAxMISVBTZWMgQ0ECEG7E
pk8GoKHj3Ci12Nmj0MAwdgYLKoZIhvcNAQkQAgsxZ6BlMFExCz AJBgNVBAYTAlVTMRcwFQYDVQQK
Ew5WZXJpU2lnbiwgSW5jLjEWMBQGA1UECxMNQ29ycG9yYXRlIE lTRzERMA8GA1UEAxMISVBTZWMg
Q0ECEG7Epk8GoKHj3Ci12Nmj0MAwDQYJKoZIhvcNAQEBBQAEgY CHG8KbToPGcc+UIH3xDcZNWarQ
Kz2WWk1kEd7IeA/lnaVlCRpnOFS1Q2UX7qY7ABE+zgUQhc83FO/nb6xrM2V2R9VC7f2JQQxjKYEc
ZU/ctl3cNQ0Qh5h45dK6lacAraZcxOzcByFhQzHRMLT79McDJOlUV L1vwuPIBrSZnTpKvwAAAAAA
AA==

------=_NextPart_000_0038_01C651B2.6B7D9A60--

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: