On 2009 Oct 19, at 9:15 , Jack Lloyd wrote:
On Sat, Oct 17, 2009 at 02:23:25AM -0700, John Gilmore wrote:
DSA was (designed to be) full of covert channels.
And, for that matter, one can make DSA deterministic by choosing the k
values to be HMAC-SHA256(key, H(m)) - this will cause the k value
> ts a fun story, but... RFC 4034 says RSA/SHA1 is mandatory and DSA is
> optional.
I was looking at RFC 2536 from March 1999, which says "Implementation
of DSA is mandatory for DNS security." (Page 2.) I guess by March 2005
(RFC 4034), something closer to sanity had prevailed.
http://rfc-edit
On Tue, Oct 20, 2009 at 09:20:04AM -0400, William Allen Simpson wrote:
> Nicolas Williams wrote:
> >Getting DNSSEC deployed with sufficiently large KSKs should be priority #1.
> >
> I agree. Let's get something deployed, as that will lead to testing.
>
>
> >If 90 days for the 1024-bit ZSKs is to
On Sat, Oct 17, 2009 at 10:23 AM, John Gilmore wrote:
>> Even plain DSA would be much more space efficient on the signature
>> side - a DSA key with p=2048 bits, q=256 bits is much stronger than a
>> 1024 bit RSA key, and the signatures would be half the size. And NIST
>> allows (2048,224) DSA par
Nicolas Williams wrote:
Getting DNSSEC deployed with sufficiently large KSKs should be priority #1.
I agree. Let's get something deployed, as that will lead to testing.
If 90 days for the 1024-bit ZSKs is too long, that can always be
reduced, or the ZSK keylength be increased -- we too can
> designed 25 years ago would not scale to today's load. There was a
> crucial design mistake: DNS packets were limited to 512 bytes. As a
> result, there are 10s or 100s of millions of machines that read *only*
> 512 bytes.
Yes, that was stupid, but it was done very early in the evolution
On Oct 17, 2009, at 5:23 AM, John Gilmore wrote:
Even plain DSA would be much more space efficient on the signature
side - a DSA key with p=2048 bits, q=256 bits is much stronger than a
1024 bit RSA key, and the signatures would be half the size. And NIST
allows (2048,224) DSA parameters as wel
At 12:31 AM 10/19/2009, Alexander Klimov wrote:
On Thu, 15 Oct 2009, Jack Lloyd wrote:
> Given that they are attempted to optimize for minimal packet size, the
> choice of RSA for signatures actually seems quite bizarre.
Maybe they try to optimize for verification time.
$ openssl speed
Verifi
On Oct 17, 2009, at 5:23 AM, John Gilmore wrote:
Even using keys that have a round number of bits is foolish, in my
opinion. If you were going to use about 2**11th bits, why not 2240
bits, or 2320 bits, instead of 2048? Your software already handles
2240 bits if it can handle 2048, and it's onl
>A bit too far for a quick visit (at least for me):
>http://news.bbc.co.uk/2/hi/uk_news/england/8241617.stm
Bletchley Park is always worth a visit, with or without a special
exhibit, as is the adjacent National Museum of Computing which houses
Colossus and a lot more interesting stuff.
An importa
On Sat, Oct 17, 2009 at 02:23:25AM -0700, John Gilmore wrote:
> > Given that they are attempted to optimize for minimal packet size, the
> > choice of RSA for signatures actually seems quite bizarre.
> Each of these records is cached on the client side, with a very long
> timeout (e.g. at least a
On Sat, Oct 17, 2009 at 02:23:25AM -0700, John Gilmore wrote:
> DSA was (designed to be) full of covert channels.
True, but TCP and UDP are also full of covert channels. And if you are
worried that your signing software or hardware is compromised and
leaking key bits, you have larger problems, no
12 matches
Mail list logo