[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Q2: crypto algorithm requirements for DNSSEC
Mark.Andrews@isc.org writes:
> > signing and verifying => making deployment more straightforward. And
> > ISTR from cryptography 101 class that it's usually not a good idea to
> > encrypt or sign the same stuff with different keys or algorithms.
>
> Encrypting things multiple times is a problem.
> Signing the same known plain text isn't.
Sure it is -- how do yo know what to do if:
1) you only have something signed using one algorithm
2) data is signed with multiple algorithms but one sig fails
3) data is signed with multiple algorithms but only one sig succeeds
There is a LOT of extra policy decision that needs to happen if you go
down this road. A lot of extra implementation, too!
> Mark Andrews, Internet Software Consortium
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org
-derek
--
Derek Atkins
Computer and Internet Security Consultant
derek@ihtfp.com www.ihtfp.com
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>