[dnssec-deployment] DNSSEC in Russia
Ed.Lewis at neustar.biz
Thu Apr 2 18:49:58 EDT 2009
At 14:30 -0700 4/2/09, Paul Hoffman wrote:
>I wrote earlier:
>The cryptographic community. In the IETF, such questions often go to the
>IRTF but the final decision remains in the IETF process.
I think therein lies a major disagreement.
On the one hand we have the IETF, a group focused on technology, with
a leadership that is selected via a closed mechanism (nomcom), yadda,
yadda, yadda. On the other hand we have governments which have a
much broader scope of concern and expertise and in some cases, a much
more open means of selecting the decision makers, and so on.
(I served on the IETF nomcom once. Closed - we weren't even allowed
to divulge the names of the real candidates.)
Perhaps that's a grandstanding statement - okay, yes it is.
The global public internet is not a toy for the engineers benefit.
When it comes to the parameters within which we have to work - the
sources are many. Let's not fool ourselves this is a technocracy.
This is why I am trying to go out of my way to make sure the
technology can be bent to accommodate a requirement laid upon us, no
matter what the source, so long as compliance is desirable. Do we
want Russia to be able to use DNSSEC? I think so.
I don't question requirements. I'm willing to show how they are best
met, and let the owner of the requirement decide whether to continue.
>>I can't get a straight answer from a cryptographer about what's a suitable
>>key length in RSA, much less an answer about the soundness of an algorithm.
>I doubt the first part; please show which cryptographers gave different
>opinions on a suitable key length for RSA when presented with the right
>inputs (key lifetime and value). The second is an inherent problem with
>security: attacks always get better, and usually at unexpected times.
Perhaps when I said "I can't get a straight answer" it wasn't clear
that I was talking about my experience in this manner. Whenever I
tried to pin someone down to a recommendation, the conversation
turned evasive. Always has, even with a "friend" cryptographer. As
I said this at the mic at DNSOP last week - "I've never seen anyone
willing to admit they are a cryptographer on tape." What I love
about the whole field is that experts are so unwilling to ever give
definitive answers - lawyers are less evasive. Sorry lawyers.
>>I don't agree that the presence of an algorithm in a zone lowers the security
>>of a zone relative to the other algorithms in it.
>So you're fine with IANA signing the root zone with an RSA key of length 64,
>along with the other keys it signs with? Others may disagree with this.
I should add, I never assumed IANA would be signing with GOST (nor
even at all), perhaps the signatures for the root zone are applied by
different entities holding the respective private keys.
But I don't suspect that is what you meant. The goal is to meet
requirements, although requirements are subject to negotiation. Some
more so than others, and to varying degrees.
NeuStar You can leave a voice message at +1-571-434-5468
Getting everything you want is easy if you don't want much.
More information about the Dnssec-deployment