[Opendnssec-user] ECC algo signing in ods?
PGNet Dev
pgnet.dev at gmail.com
Wed Dec 21 15:18:05 UTC 2016
On 12/19/2016 11:28 AM, Yuri Schaeffer wrote:
>> I assume that the ods algo #'s match the IANA's for the ECDSA P-256 & P-384 algos? i.e., "13" & "14"?
>
> Yes!
When switching to ECC algo, e.g. for AES-256 'equivalency' (fyi, why the keylength naming is as it is: http://crypto.stackexchange.com/questions/9901/why-is-the-p-521-elliptic-curve-not-in-suite-b-if-aes-256-is)
14 ECDSA Curve P-384 with SHA-384
what's the required form for the <Algorithm length="???"> parameter ?
kasp.xml
...
<!-- Parameters for KSK only -->
<KSK>
?? <Algorithm length="2048">8</Algorithm>
<Lifetime>P1Y</Lifetime>
<Repository>SoftHSM</Repository>
</KSK>
<!-- Parameters for ZSK only -->
<ZSK>
?? <Algorithm length="1024">8</Algorithm>
<Lifetime>P90D</Lifetime>
<Repository>SoftHSM</Repository>
<!-- <ManualRollover/> -->
</ZSK>
...
Does it need to be SPECIFIED for ods config? as key length,
<Algorithm length="384">P-384</Algorithm>
bit-depth,
<Algorithm length="256">P-384</Algorithm>
or, since it's implicit in the curve definition, not at all,
<Algorithm>P-384</Algorithm>
?
More information about the Opendnssec-user
mailing list