On 10/15/19 12:11 PM, John R Levine wrote: > I just heard a most interesting talk at M3AAWG about postquantum crypto and > particularly about the NIST candidate algorithms. Many of them have much > larger key or signature sizes than any current algorithm, like 10,000 bits or > more. Some are a lot slower than others. Has anyone been looking at how > these algorithms would or would not work with DNSSEC?
Yes. (More specifically: https://datatracker.ietf.org/doc/draft-hoffman-c2pq/, which is very casually being worked on in the CFRG.) Or, define "work with". Falling back to TCP for getting DNSKEY records might not be a big deal. Or, maybe wait until NIST has gotten more through the process, given that key size and signature size are among the many factors they are considering. > NIST is accepting comments and the talk said they particularly want comments > from industry on how this would affect existing applications. > > I can imagine ways to make things work, e.g, hashes in some places rather > than signatures, but I don't understand DNSSEC in enough detail to figure out > what's a show stopper. Or when the show stops. Or what to do if there are multiple selected algorithms with different features (speed, size of signatures, speed of signing, ...) --Paul Hoffman _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
