On 9/06/2011, at 1:49 PM, Don Gould wrote:
On 9/06/2011 1:10 p.m., Jay Daley wrote:
One of the quickest ways for me to destroy trust in NZRS would be to answer the question "Why have you chosen a 2048 bit key?" with the response "Because that is what most of the other TLDs do.". Any choice one way or the other needs a rational and evidenced explanation.
<big snip...>
If you are serious in proposing 2048 bit keys as alternative policy then can you provide a similar explanation to allow the community to judge the two?
.nz - 1280 bit .au[1] - 2048 bit
Which one is more secure?
2048, undoubtedly so, but the issue is whether 1280 is good enough and by what margin. Our view is that it is good enough and by such a wide margin that shifting up to 2048 just adds resource costs onto our customers unnecessarily. After all 4096 is even more secure, so why not use that?
"When shopping on a web site you should consider looking for a .au site simply because the dns system is more secure. In New Zealand they only offer 1280 bit v's the 2048 bit that we offer our customers here in Australia... <Insert more FUD as desired>".
Yes, I read Jay's explanation, but are we going to have to write...
"In NZ we offer 1280/1 v's 2048/5, so in fact our is more secure...."
If you look at my numbers above from a purely emotive point of view, with limited technical understanding then 2048/5 just looks bigger, and a bigger bank vault = more secure in most peoples eyes even if it's not.
Trust is often as much about perception as reality.
I agree, but in this case the perception issue is going to be between DNSSEC protected domains and domains not protected by DNSSEC, not key lengths. We know that from the precedent established with X.509 certs where people have no idea about cypher strength and key-length downgrades despite this being much more of a security threat than protection of the DNS data. cheers Jay
D
[1] insert random country of your choice that I might be wanting to do business with.... .au is simply an example.
-- Don Gould 31 Acheson Ave Mairehau Christchurch, New Zealand Ph: + 64 3 348 7235 Mobile: + 64 21 114 0699 www.thinkdesignprint.co.nz
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
-- Jay Daley Chief Executive .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 931 6977 mobile: +64 21 678840