On Mar 21, 2014, at 3:39 AM, "Schmidt, Jörn-Marc"
<joern-marc.schm...@secunet.com> wrote:
> Dear all,
>
> I've just submitted the draft below on using ECDSA with Brainpool Curves for
> DNSSEC.
>
> The rationale behind this submission is the fact that the German electronic
> health insurance card (Gesundheitskarte) mandates the use of DNSSEC, while
> the use of Brainpool curves is recommended by the German Federal Office for
> Information Security (BSI). Currently, using ECC with DNSSEC is only
> specified for NIST Curves (RFC 6605). Hence, in order to comply with the
> recommendations on the one hand and with global specifications on the other
> hand, we wrote this draft.
>
> Any feedback/comments/thoughts are very welcome.
>
Is the performance of these curves any better than P256, P384 and EC-GOST that
are currently specified?
Unless there is significant performance improvement over the Px curves this is
IMHO wasted effort.
Is there a reason to believe that the curves you request are significantly
stronger than the currently specified curves?
Why are you defining 3 curves ?
There are only about 230 code points available for algorithms, we do not want
"vanity" curves specified
so unless you can JUSTIFY each one as being significantly "better" than what is
currently specified
what is the point this includes both Pxxx curves and ECC-GOST.
Defining more algorithms decreases interoperability as code bases need to pick
up all algorithms.
While you talk about German regulations wanting some curve, that does not mean
that they can mandate any
domain to use it. Thus the issue of what german regulations use for health care
cards is orthogonal to what is used by DNSSEC.
If all you want is to publish German health Insurance Card keys in DNS then ask
for a "Gesundheit" record to publish the keys, and
then the consumption of these records only affects the those that need to
process the keys.
Sorry for the tone of the message but you need MUCH better justification in
your next version for this to be considered,
right now this looks like a pure vanity registration request.
Olafur
> Best,
>
> Jörn
>
>
> ---
> A new version of I-D, draft-schmidt-brainpool-dnssec-00.txt
> has been successfully submitted by Joern-Marc Schmidt and posted to the IETF
> repository.
>
> Name: draft-schmidt-brainpool-dnssec
> Revision: 00
> Title: ECC Brainpool Curves for DNSSEC
> Document date: 2014-03-21
> Group: Individual Submission
> Pages: 6
> URL:
> http://www.ietf.org/internet-drafts/draft-schmidt-brainpool-dnssec-00.txt
> Status:
> https://datatracker.ietf.org/doc/draft-schmidt-brainpool-dnssec/
> Htmlized: http://tools.ietf.org/html/draft-schmidt-brainpool-dnssec-00
>
>
> Abstract:
> This document specifies the use of ECDSA with ECC Brainpool curves in
> DNS Security (DNSSEC). It comprises curves of three different sizes.
>
>
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
