[ksk-change] FIPS-140 levels

Michael StJohns msj at nthpermutation.com
Mon Oct 6 21:21:44 UTC 2014

On 10/6/2014 3:23 PM, Paul Hoffman wrote:
> On Oct 6, 2014, at 12:17 PM, Richard Lamb <richard.lamb at icann.org> wrote:
>> FWIW: With enough warning I believe we can get AEP to work with us.
> With enough warning, I hope that IANA can get *all* the relevant HSM manufacturers to implement whatever curves are chosen by the IETF for TLS, and then possibly by this community for DNSSEC.

FWIW - it's trivial for most HSM manufacturer's to support the X9.63 
style curves and public keys and signatures.  Generally, it's just 
giving them the new curve data.  Supporting any of the non-X9.63 curves 
(including Curve25519 and probably the NUMS Twisted Edwards, but not the 
NUMS Weiserstrass) will require some selling to the HSM vendors (new 
math, new math engines, new formats etc) and something more than just 
the ICANN asking for them.

I don't think actually that being chosen for TLS is the right benchmark 
for DNSSEC - different needs.


> --Paul Hoffman
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20141006/22e6a9c0/attachment.html>

More information about the ksk-rollover mailing list