2 Jan 2011 21:38
Re: Re. Adotping draft: draft-hoffman-ecdsa-dnssec-04.txt
Rose, Scott W. <scott.rose <at> nist.gov>
2011-01-02 20:38:01 GMT
2011-01-02 20:38:01 GMT
On Dec 30, 2010, at 2:35 PM, Edward Lewis wrote: > With the end of the decade drawing close, I finally had time to look at this: > > http://tools.ietf.org/html/draft-hoffman-dnssec-ecdsa-04 > > This should be adopted and edited by the WG. > > Some first blush notes - it needs some support for these claims: > > "Currently, the most popular signature algorithm is RSA with SHA-1, > using keys 1024 or 2048 bits long." > > I don't think that is a relevant point, so maybe there's no need to > add a reference. But if it sticks, as Wikipedia says "This article > lacks inline citations. Please help improve this article by > introducing appropriate citations to additional sources." > Talking about the algorithm is probably correct (being that RSA/SHA-1 is the only algorithm considered mandatory to implement). The key size statement may not be easier to prove, but doesn't add much to the discussion, so could be dropped. > Another example is the claim: > > "Current estimates are that ECDSA with curve P-256 has an approximate > equivalent strength to RSA with 3072-bit keys." > > The notion of cryptographic strength is one that should be something > I can find in a referenced document somewhere. > I would offer NIST SP 800-57 Part 1 as a reference here - Section 5.6.1 provides a comparison. Scott > I welcome the definition of additional algorithms for DNSSEC. But as > an DNS engineer, don't expect me no know anything about cryptography. > IOW, if a 3072 bit elliptical curve key was as strong as a normal RSA > key of 100 bits, I'd welcome the definition. > > I just wouldn't use it. > > Seriously - what I am asking for are more references in the text, > enough that this document could stand on it's own and I wouldn't need > a background in cryptography to believe the arguments and claims made. > -- > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > Edward Lewis > NeuStar You can leave a voice message at +1-571-434-5468 > > The 21st Century is 10% complete. > _______________________________________________ > dnsext mailing list > dnsext <at> ietf.org > https://www.ietf.org/mailman/listinfo/dnsext =================================== Scott Rose NIST scottr <at> nist.gov +1 301-975-8439 Google Voice: +1 571-249-3671 http://www.dnsops.gov/ =================================== _______________________________________________ dnsext mailing list dnsext <at> ietf.org https://www.ietf.org/mailman/listinfo/dnsext
RSS Feed