To:
Derek Atkins <warlord@MIT.EDU>, lafur Guðmundsson <ogud@ogud.com>
Cc:
Simon Josefsson <simon+dnssec@josefsson.org>, Jakob Schlyter <jakob@crt.se>, <dnssec@cafax.se>
From:
Ólafur Guðmundsson <ogud@ogud.com>
Date:
Fri, 07 Sep 2001 17:03:32 -0400
In-Reply-To:
<sjmelpjrebc.fsf@rcn.ihtfp.org>
Sender:
owner-dnssec@cafax.se
Subject:
Re: Certificates and public keys
At 09:15 PM 9/6/2001, Derek Atkins wrote:
>=?iso-8859-1?Q?=D3lafur?= =?iso-8859-1?Q?_Gu=F0mundsson?= <ogud@ogud.com>
>writes:
>
> > *thinking out loud* Maybe we should fix this problem by creating a
> > collection of key record types, DHKEY, RSAMD5KEY, DSAKEY, RSASHA1KEY,
> ECCKEY
> > and have applications either ask for a particular record type or a meta
> > record type that gives you all.
>
>*shudders at the thought* How HORRIBLE a concept!!! So as new
>algorithms (both encryption and hash) come along, we need to use up
>precious DNS type-space for them? Considering the key-space in many
>of the security algorithms are at least 8 bits and many times even
>greater than that, are you willing to leave the same amount of space
>available in DNS? How much type-space is there?
>
> > If we are going to do this lets try to get as much right as possible.
> > we have plenty of type codes to burn.
>
>Do we? Seriously, are you willing to give up, say, 8-bits of type
>space for different key/hash/etc. security algorithms? How about 16
>bits of space?
I do not think that will happen, currently only two digest algorithms
are in use, one of them being phased out (MD5) and two on the
horizon, RIPEMD and SHA-2.
There are 3 public key algorithms that I know of RSA, DSA and ECC,
most use SHA-1 as digest. Right now there are 4 ALG/DIGEST pairs
allocated, 2 pairs will never be proposed ECC and DSA with MD5.
I think that we will see one or two new algorithms a decade and
some old ones being retired.
In 1994/1995 the argument was do we use one SIG record or do we allocate
one BIT in the type code as the SIG bit. I was one of the people arguing
against the SIG bit, this was wrong. For example BIND-9
internally stores SIG records for each RR type as a set, just as SIG bit
would have done.
At the same time there was a proposal to use separate type for
each KEY algorithm this was also rejected for the same reason
you are putting forward, conserving the type space.
Certain protocols, with small type space (8 bit) and liberal
allocation polices (half the space for private use types)
run out of type codes quickly. DNS has large type space and
strict allocation policies, conserving the type space to a fault.
Back to the question that I wanted to ask in previous message,
Do applications want a PARTICULAR algorithm or ANY algorithm allowed
by protocol ?
Olafur