RE: About draft-ietf-dnsext-ecc-key-07.txt, absence of algorithm restriction in ECC public key encoding

[Eastlake III Donald-LDE008 <Donald.Eastlake@motorola.com>]

Actually, if you look in section 5 on page 11, it says you have to use SHA-1...

Donald 

-----Original Message-----
From: Thierry Moreau [mailto:thierry.moreau@connotech.com] 
Sent: Monday, August 15, 2005 9:15 AM
To: namedroppers@ops.ietf.org
Cc: rschroe@sandia.gov; Eastlake III Donald-LDE008
Subject: About draft-ietf-dnsext-ecc-key-07.txt, absence of algorithm restriction in ECC public key encoding

Dear all:

A quick question/comment about the draft draft-ietf-dnsext-ecc-key-07.txt, "Elliptic Curve KEYs in the DNS". In this draft document, I didn't see any indication of public key algorithm to be used with a given public key (e.g. the same RSA public key value can be used with SHA-1 or MD5 for signatures, and a different DNSKEY RR encoding prevents an RSA-SHA-1 key to be diverted to RSA-MD5). This is somehow different from key usage, i.e. whether DNS zone signing allowed.

For instance of algorithm restriction with ECC public keys, see the draft-ietf-pkix-ecc-pkalgs-01.txt

Am I correct in reading the draft draft-ietf-dnsext-ecc-key-07.txt as omitting algorithm restrictions? If yes, I see a difficulty with algorithm change threat once the ECC crypto is applied to DNS. Thus, I would expect the ECC public key format to be reworked before applied to DNS.

Regards,

-- 

- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada   H2M 2A1

Tel.: (514)385-5691
Fax:  (514)385-5900

web site: http://www.connotech.com
e-mail: thierry.moreau@connotech.com


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>