[dns-operations] EdDSA status ?

Chris Thompson cet1 at cam.ac.uk
Mon Jun 4 13:13:58 UTC 2018


On Jun 1 2018, Viktor Dukhovni wrote:

>> On Jun 1, 2018, at 2:46 PM, Chris Thompson <cet1 at cam.ac.uk> wrote:
>> 
>> I find it a bit surprising that no-one has yet mentioned what must surely
>> be in many of our minds: that the parameter choices in EdDSA are much more
>> transparent than those for ECDSA, giving substantially greater confidence
>> that hidden backdoors have not been built in. https://safecurves.cr.yp.to/
>> is the obligatory reference.
>
>Unfortunately, on that topic we can only speculate.  We
>need to recognize that the speculation is part of the
>marketing of EdDSA and so not entirely unbiased, and at
>the same time, we can't entirely dismiss the Dual-EC
>fiasco.  So it is prudent to move towards EdDSA.

One should certainly remain sceptical about security information from
any source, and when I said that the parameter choices were "much more
transparent", I didn't mean "completely transparent". It is possible
that Dan Bernstein is in the employ of the Black Hats and has designed
fiendishly clever back doors into EdDSA. (But it would be such a scoop
if anyone could prove this, that I am sure people have looked quite hard.)
One just has to make the best judgements one can.

>However, given the long lag between spec + early code and
>broad support, EdDSA is not yet a practical *alternative*
>to P256. It can be fielded as an additional KSK, or perhaps
>as an additional ZSK alongside P256.

It certainly isn't yet practical to deploy for a production zone.
Hence this whole thread, presumably.

Algorithm change in DNSSEC has always been an operationally difficult
area. I am sure there are people who are sticking with RSA, hopefully
increasing the modulus size from time to time, and holding out for the
time when EdDSA becomes available.

-- 
Chris Thompson
Email: cet1 at cam.ac.uk





More information about the dns-operations mailing list