[dns-operations] EdDSA status ?

Petr Špaček petr.spacek at nic.cz
Mon Jun 4 14:20:06 UTC 2018



On 4.6.2018 15:13, Chris Thompson wrote:
> On Jun 1 2018, Viktor Dukhovni wrote:
> 
>>> On Jun 1, 2018, at 2:46 PM, Chris Thompson <cet1 at cam.ac.uk> wrote:
>>>
>>> I find it a bit surprising that no-one has yet mentioned what must 
>>> surely
>>> be in many of our minds: that the parameter choices in EdDSA are much 
>>> more
>>> transparent than those for ECDSA, giving substantially greater 
>>> confidence
>>> that hidden backdoors have not been built in. 
>>> https://safecurves.cr.yp.to/
>>> is the obligatory reference.
>>
>> Unfortunately, on that topic we can only speculate.  We
>> need to recognize that the speculation is part of the
>> marketing of EdDSA and so not entirely unbiased, and at
>> the same time, we can't entirely dismiss the Dual-EC
>> fiasco.  So it is prudent to move towards EdDSA.
> 
> One should certainly remain sceptical about security information from
> any source, and when I said that the parameter choices were "much more
> transparent", I didn't mean "completely transparent". It is possible
> that Dan Bernstein is in the employ of the Black Hats and has designed
> fiendishly clever back doors into EdDSA. (But it would be such a scoop
> if anyone could prove this, that I am sure people have looked quite hard.)
> One just has to make the best judgements one can.
> 
>> However, given the long lag between spec + early code and
>> broad support, EdDSA is not yet a practical *alternative*
>> to P256. It can be fielded as an additional KSK, or perhaps
>> as an additional ZSK alongside P256.
> 
> It certainly isn't yet practical to deploy for a production zone.
> Hence this whole thread, presumably.
> 
> Algorithm change in DNSSEC has always been an operationally difficult
> area. I am sure there are people who are sticking with RSA, hopefully
> increasing the modulus size from time to time, and holding out for the
> time when EdDSA becomes available.

Tangentially relevant - here is first TLD going away from RSA:

https://en.blog.nic.cz/2018/06/01/transition-to-elliptic-curves-in-the-cz-domain/

-- 
Petr Špaček  @  CZ.NIC



More information about the dns-operations mailing list