[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenPGP Browser Support

From: Adam Langley
Subject: Re: OpenPGP Browser Support
Date: Fri, 25 Jul 2008 15:16:50 -0700

On Thu, Jul 24, 2008 at 3:37 PM, Duane <address@hidden> wrote:
> I have written in depth about this topic already, so rather than repeat
> myself I'll just paste a link to the relevant document:

This document seems to be dealing with something quite different,
namely providing some confidentiality to DNS resolvers. But that's not
an uninteresting topic in of itself.

However, rather than have queries encrypted to a server and signed
replies, I'd suggest that clients include an elliptic-curve
Diffie-Hellman public key in the request and encrypt the request with
the shared key (assuming that the client know's the server's key). The
server than calculates the shared key, encrypts the reply and sticks a
MAC on the end.

The advantage being that it should be a lot faster. Clients cache the
results and there's (effectively) no performance hit.

If a server can get a cache hit on the client's public key, it's
equally very fast. Otherwise (and this would almost always be the case
for root/gTLD servers), you can do about 4000 key
agreements/second/core[1]. For a modern, 8-core machine that's 32Kq/s.
I can't find recent data on DNS server load at the root or gTLD level,
although I suspect it's within an order of magnitude of that. For ISP
level server, that should be fine.


Adam Langley address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]