[DNSOP] WG: New Version Notification for draft-schmidt-brainpool-dnssec-00.txt
Dear all, I've just submitted the draft below on using ECDSA with Brainpool Curves for DNSSEC. The rationale behind this submission is the fact that the German electronic health insurance card (Gesundheitskarte) mandates the use of DNSSEC, while the use of Brainpool curves is recommended by the German Federal Office for Information Security (BSI). Currently, using ECC with DNSSEC is only specified for NIST Curves (RFC 6605). Hence, in order to comply with the recommendations on the one hand and with global specifications on the other hand, we wrote this draft. Any feedback/comments/thoughts are very welcome. Best, Jörn --- A new version of I-D, draft-schmidt-brainpool-dnssec-00.txt has been successfully submitted by Joern-Marc Schmidt and posted to the IETF repository. Name: draft-schmidt-brainpool-dnssec Revision: 00 Title: ECC Brainpool Curves for DNSSEC Document date: 2014-03-21 Group: Individual Submission Pages: 6 URL: http://www.ietf.org/internet-drafts/draft-schmidt-brainpool-dnssec-00.txt Status: https://datatracker.ietf.org/doc/draft-schmidt-brainpool-dnssec/ Htmlized: http://tools.ietf.org/html/draft-schmidt-brainpool-dnssec-00 Abstract: This document specifies the use of ECDSA with ECC Brainpool curves in DNS Security (DNSSEC). It comprises curves of three different sizes. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Changes to Charter
On Wed, Mar 19, 2014 at 3:42 PM, Tim Wicinski tjw.i...@gmail.com wrote: Hello This is a conversation I've scheduled a few times and I did poor time mangement. After some discussion we're proposing adding two items to the DNSOP charter: --- 5. Address possible minor changes or extensions to the DNS Protocol, initially with a focus on the operational impacts of these changes. Act as clearinghouse or providing advice to ADs and other WGs on EDNS0 options, new RRTYPEs, record synthesis, or other mechanics of extending DNS to support other applications. 6. Publish documents which address DNS-related issues, by identifying and documenting the problem space around the issue. The group will then discuss these issues and decide if which group should address the solution space. Last sentence does not parse (and I'm not quite sure what you were trying to say, so unclear how to fix it). W -- We welcome your feedback either on the items, the wording, or anything you wish to comment on. thanks tim ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] on the subject of dnse
This was the use case that originally drove the development of OmniBroker. If we do DNS Encryption right it is going to be very easy for end users to chose their DNS provider and very hard for the authorities to block them. Security is a balance. Going through 8.8.8.8 rather than direct means that you are leaking privacy sensitive information to Google. But that is probably less important here than the censorship attack. On Thu, Mar 20, 2014 at 11:31 PM, joel jaeggli joe...@bogus.com wrote: https://twitter.com/enginonder/status/446819815106576384/photo/1 ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop -- Website: http://hallambaker.com/ ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Changes to Charter
On 3/21/14, 7:38 AM, Warren Kumari wrote: On Wed, Mar 19, 2014 at 3:42 PM, Tim Wicinski tjw.i...@gmail.com wrote: 6. Publish documents which address DNS-related issues, by identifying and documenting the problem space around the issue. The group will then discuss these issues and decide if which group should address the solution space. Last sentence does not parse (and I'm not quite sure what you were trying to say, so unclear how to fix it). W Ooof. I obviously failed to incorporate the correct wording from my co-chair. What this sentence is trying to say is: The group will then discuss these issues and decide if which group should address the solution space. Is something like this: dnsop will take in drafts that revolve around DNS-related issues, and the group will discuss the problem space (via drafts) and decide: 1. should the solution space be addressed in dnsop? 2. If not, help decide where the work would be better carried out and work with the appropriate ADs on this. This still sounds horrible. tim ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Changes to Charter
I am fine with these 2 items if DNS includes DNSSEC. Maybe replacing DNS by DNS or DNSSEC clarify this. On Fri, Mar 21, 2014 at 2:16 PM, Tim Wicinski tjw.i...@gmail.com wrote: On 3/21/14, 7:38 AM, Warren Kumari wrote: On Wed, Mar 19, 2014 at 3:42 PM, Tim Wicinski tjw.i...@gmail.com wrote: 6. Publish documents which address DNS-related issues, by identifying and documenting the problem space around the issue. The group will then discuss these issues and decide if which group should address the solution space. Last sentence does not parse (and I'm not quite sure what you were trying to say, so unclear how to fix it). W Ooof. I obviously failed to incorporate the correct wording from my co-chair. What this sentence is trying to say is: The group will then discuss these issues and decide if which group should address the solution space. Is something like this: dnsop will take in drafts that revolve around DNS-related issues, and the group will discuss the problem space (via drafts) and decide: 1. should the solution space be addressed in dnsop? 2. If not, help decide where the work would be better carried out and work with the appropriate ADs on this. This still sounds horrible. tim ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop -- Daniel Migault Orange Labs -- Security +33 6 70 72 69 58 ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Changes to Charter
On 3/21/14, 9:46 AM, Daniel Migault wrote: I am fine with these 2 items if DNS includes DNSSEC. Maybe replacing DNS by DNS or DNSSEC clarify this. Currently #2 of the charter states: 2. Publish documents concerning DNSSEC operational procedures. But I understand what you mean here, and I was thinking it was a logical extension. tim ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] on the subject of dnse
Phillip Hallam-Baker wrote: This was the use case that originally drove the development of OmniBroker. If we do DNS Encryption right it is going to be very easy for end users to chose their DNS provider and very hard for the authorities to block them. +1. Security is a balance. Going through 8.8.8.8 rather than direct means that you are leaking privacy sensitive information to Google. But that is probably less important here than the censorship attack. noting, google's public claims about not data mining any part of the 8.8.8.8 query flow, are believable. we also now know that the greater risk is an on-path nation-state MiTM. i think we should solve for the latter and not worry about the former. vixie ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] New Version Notification for draft-schmidt-brainpool-dnssec-00.txt
On Mar 21, 2014, at 3:39 AM, Schmidt, Jörn-Marc joern-marc.schm...@secunet.com wrote: Dear all, I've just submitted the draft below on using ECDSA with Brainpool Curves for DNSSEC. The rationale behind this submission is the fact that the German electronic health insurance card (Gesundheitskarte) mandates the use of DNSSEC, while the use of Brainpool curves is recommended by the German Federal Office for Information Security (BSI). Currently, using ECC with DNSSEC is only specified for NIST Curves (RFC 6605). Hence, in order to comply with the recommendations on the one hand and with global specifications on the other hand, we wrote this draft. Any feedback/comments/thoughts are very welcome. Is the performance of these curves any better than P256, P384 and EC-GOST that are currently specified? Unless there is significant performance improvement over the Px curves this is IMHO wasted effort. Is there a reason to believe that the curves you request are significantly stronger than the currently specified curves? Why are you defining 3 curves ? There are only about 230 code points available for algorithms, we do not want vanity curves specified so unless you can JUSTIFY each one as being significantly better than what is currently specified what is the point this includes both Pxxx curves and ECC-GOST. Defining more algorithms decreases interoperability as code bases need to pick up all algorithms. While you talk about German regulations wanting some curve, that does not mean that they can mandate any domain to use it. Thus the issue of what german regulations use for health care cards is orthogonal to what is used by DNSSEC. If all you want is to publish German health Insurance Card keys in DNS then ask for a Gesundheit record to publish the keys, and then the consumption of these records only affects the those that need to process the keys. Sorry for the tone of the message but you need MUCH better justification in your next version for this to be considered, right now this looks like a pure vanity registration request. Olafur Best, Jörn --- A new version of I-D, draft-schmidt-brainpool-dnssec-00.txt has been successfully submitted by Joern-Marc Schmidt and posted to the IETF repository. Name: draft-schmidt-brainpool-dnssec Revision: 00 Title:ECC Brainpool Curves for DNSSEC Document date:2014-03-21 Group:Individual Submission Pages:6 URL: http://www.ietf.org/internet-drafts/draft-schmidt-brainpool-dnssec-00.txt Status: https://datatracker.ietf.org/doc/draft-schmidt-brainpool-dnssec/ Htmlized: http://tools.ietf.org/html/draft-schmidt-brainpool-dnssec-00 Abstract: This document specifies the use of ECDSA with ECC Brainpool curves in DNS Security (DNSSEC). It comprises curves of three different sizes. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop