Monday, April 06, 2009

Crypto-Politics Creep Into DNSSEC

Brenden Kuerbis writes on the Internet Governance Project Blog:

While the fight over using cryptography to protect personal communications was allegedly "won" during the late 1990s, the battle over using it to protect critical Internet resources is just heating up. News from the recent IETF in San Francisco and RANS conference in Moscow suggests that national crypto laws are now complicating efforts to secure the DNS.

Specifically, supporters of .ru have noted that while they are interested in deploying DNSSEC, there are legal and operational constraints surrounding the current crypto specs in the standard (i.e., RSA signature and SHA digest algorithms) that could make it difficult for Russian based organizations to deploy the protocol. There are now efforts being made to introduce the Russian developed GOST family of algorithms into the protocol.

In developing DNSSEC, the DNSEXT Working Group recognized the need and designed the protocol to support different algorithms simultaneously. Nonetheless, the protocol documents have mostly made a habit of recommending the use of the RSA signing and SHA hashing algorithms. To some extent this simply reflects the fact that RSA has been incorporated into protocols worldwide (e.g., SSL) and has broad market acceptance. But arguably it is also an artifact of the relatively small social network of authors and mostly American organizations involved in publishing DNSEXT RFCs to date.

More here.


Post a Comment

<< Home