If multiple independent entities sign, can't they elect to use shorter algorithms?
I know 'short can be spoofed' is out there, but since there are now n * <512> instead of 1 * 2048 is it not theoretically possible that at a cost of more complexity, it can be demonstrated that as long as 1) the sigs are all current 2) all the sig agree then the risk of n 512-bit signings is not necessarily worse than one 2048 or 4096 bit signing, for the specific need we have: proof of correctness. (n is unstated. 512 is a nonce. I have no idea what the sweet spot of keysize and number of keys would be.) therefore, if this is true, trading complexity for keysize might not increase the initial bootstrap zone transfer size that much. I am not a cryptographer and do not play one on TV On Wed, Jan 15, 2014 at 6:08 AM, Andrew Sullivan <a...@anvilwalrusden.com>wrote: > On Tue, Jan 14, 2014 at 01:54:56PM -0500, Joe Abley wrote: > > > It's interesting to see that what was actually built in 2009/2010 is > > largely compatible (at the high-level diagram level) with what was > > proposed > > I thought that was interesting too. > > > However, each RKO you add increases the operational risk that an SKR > > from that RKO might not be obtained within the required window, > > which puts zone publication in jeopardy. > > Good point. I think the idea is that this is a feature, because it's > supposed to be the Mutually-Assured Destruction threat that will > prevent the USG from unilaterally removing some country from the root > zone (that seems to be the threat people are worried about. Why is > left as an exercise for the reader. Note that I do not promise there > is a solution to this exercise). > > > [If validators took the approach of installing trust anchors from > > each and every RKO to mitigate this possibility, then they are > > effectively saying "I'm happy so long as at least one RKO is happy > > even if all the others are deeply miserable", which doesn't sound > > like it achieves the document's objectives.] > > It _might_, if the idea were instead that validators used n of m. Ben > Laurie had a not-completely-dissimilar idea for root TA distribution > entered in the "rollover" competition back in 2006 or so. See > http://tools.ietf.org/html/draft-laurie-dnssec-key-distribution-02. > > Thanks for the observations, which I think are quite helpful. > > A > > -- > Andrew Sullivan > a...@anvilwalrusden.com > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
