Re: draft-ietf-dnsext-dnssec-gost

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





Martin Rex пишет:




What I don't understand is whether the deprecation applies to
GOST R34.10-1994 in general,
Yes.
or only to GOST R34.10-1994 as a
signature algorithm.
No.


I am somewhat illiterate to crypto math, so I'm wondering whether
it is technicall possible to use a GOST R34.10-1994 key agreement
(ephemeral keys) in conjunction with GOST R34.10-2001 certs&signatures,
Never ever interested. ;)
and if yes -- whether that is still permitted by russian authorities.
No.


I should correct myself, the check against relevant documentation showed that it was more prolonged grace period allowed by authorities.

The usage of GOST R 34.10-94 is fully prohibited starting 1 of January 2008.
With one exception: it is allowed to check signatures under already signed archived documents using this algorithm.

As for TLS, using GOST R 34.10-94, this is fully non-compliant to Russian standards and should not be used.

Definitely, noone can be obliged to follow this outside the Russia or when using crypto in home environment or something of the kind.

Nevertheless, I would consider following this as a strong guideline because of two thoughts: - first of all, I think there was some reason for creating and putting into operation of new standard, spending a lot on its preparation and transition to it (consider GOST 28147-89, which is active for 20 years) - no certified software/hardware will support deprecated algorithm, so there definitely will interoperability problems.

I would like to return to topic, which concerns with the document describing the DNSSec extension with GOST algoritm. This document quotes RFC4357 as a reference to the used parameter set. Nothing more.

This document uses the only valid set of GOST algorithms for the purpose of usage in the DNSSec . In this document no TLS is used, no key agreement procedures are used, etc.

dol@

============ new topic ========

I think that the representation of GOST algorithms in IETF is relatively poor now. There should be several other documents which makes the structure and usage of these algorithms more clear for those who will be willing to implement it and for those who suddenly found it been implemented in his/her software/hardware already. This work has been already started from publication of standards' translation to English as Informational RFCs to have some basiv reference point. Then, there should be other document, describing implementation of GOST algorithm in detail in the manner to which IETF community is used to (The style of Russian standards is really hard for comprehension). There will be a lot of issues (defining scopes, fixing parameter sets, setting OIDs, ensuring non-controversity with existing implementations, etc.) which have to be solved when preparing this document, some of them were quoted in different GOST-relevant discussions. All of these comments are carefully collected and I hope will help a lot when preparing this document.

dol@




-Martin

_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]