Martin Rex пишет:
What I don't understand is whether the deprecation applies to
GOST R34.10-1994 in general,
Yes.
or only to GOST R34.10-1994 as a
signature algorithm.
No.
I am somewhat illiterate to crypto math, so I'm wondering whether
it is technicall possible to use a GOST R34.10-1994 key agreement
(ephemeral keys) in conjunction with GOST R34.10-2001 certs&signatures,
Never ever interested. ;)
and if yes -- whether that is still permitted by russian authorities.
No.
I should correct myself, the check against relevant documentation showed
that it was more prolonged grace period allowed by authorities.
The usage of GOST R 34.10-94 is fully prohibited starting 1 of January 2008.
With one exception: it is allowed to check signatures under already
signed archived documents using this algorithm.
As for TLS, using GOST R 34.10-94, this is fully non-compliant to
Russian standards and should not be used.
Definitely, noone can be obliged to follow this outside the Russia or
when using crypto in home environment or something of the kind.
Nevertheless, I would consider following this as a strong guideline
because of two thoughts:
- first of all, I think there was some reason for creating and putting
into operation of new standard, spending a lot on its preparation and
transition to it (consider GOST 28147-89, which is active for 20 years)
- no certified software/hardware will support deprecated algorithm, so
there definitely will interoperability problems.
I would like to return to topic, which concerns with the document
describing the DNSSec extension with GOST algoritm.
This document quotes RFC4357 as a reference to the used parameter set.
Nothing more.
This document uses the only valid set of GOST algorithms for the purpose
of usage in the DNSSec . In this document no TLS is used, no key
agreement procedures are used, etc.
dol@
============ new topic ========
I think that the representation of GOST algorithms in IETF is relatively
poor now. There should be several other documents which makes the
structure and usage of these algorithms more clear for those who will be
willing to implement it and for those who suddenly found it been
implemented in his/her software/hardware already.
This work has been already started from publication of standards'
translation to English as Informational RFCs to have some basiv
reference point. Then, there should be other document, describing
implementation of GOST algorithm in detail in the manner to which IETF
community is used to (The style of Russian standards is really hard for
comprehension). There will be a lot of issues (defining scopes, fixing
parameter sets, setting OIDs, ensuring non-controversity with existing
implementations, etc.) which have to be solved when preparing this
document, some of them were quoted in different GOST-relevant
discussions. All of these comments are carefully collected and I hope
will help a lot when preparing this document.
dol@
-Martin
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf