Re: [dane] Digest Algorithm Agility discussion

Mark Andrews <marka@isc.org> Tue, 18 March 2014 11:27 UTC

Return-Path: <marka@isc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2EF51A03C9 for <dane@ietfa.amsl.com>; Tue, 18 Mar 2014 04:27:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.548
X-Spam-Level:
X-Spam-Status: No, score=-2.548 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qlEKiB1WWri4 for <dane@ietfa.amsl.com>; Tue, 18 Mar 2014 04:27:08 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id 8568B1A03C7 for <dane@ietf.org>; Tue, 18 Mar 2014 04:27:08 -0700 (PDT)
Received: from mx.pao1.isc.org (localhost [127.0.0.1]) by mx.pao1.isc.org (Postfix) with ESMTP id 482ECC941E for <dane@ietf.org>; Tue, 18 Mar 2014 11:26:47 +0000 (UTC) (envelope-from marka@isc.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=dkim2012; t=1395142020; bh=CSzECV/aKXQ5oI5wmtpo6xoh5I1Nh9uTcUvDl/dJ6RQ=; h=To:From:References:Subject:In-reply-to:Date; b=IdLhWHMpugTL0uAAwX+dv7PFYQzRrUnqmWQcoaZOD5gBg3c6ED2PwVDisICXaTt5m jgDDOyn3dVf+/EG4ncL8lYxeuOK8YCz0J7Ke7mtgoMjZOLlnlradpc4PjhZXnS2AwV Y1nogbXD8A9JYECkCOB+zy8tf5c+bIiqncTHcNRw=
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.pao1.isc.org (Postfix) with ESMTP for <dane@ietf.org>; Tue, 18 Mar 2014 11:26:47 +0000 (UTC) (envelope-from marka@isc.org)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id AC4AB160060 for <dane@ietf.org>; Tue, 18 Mar 2014 11:27:51 +0000 (UTC)
Received: from rock.dv.isc.org (dsl092-002-166.sfo1.dsl.speakeasy.net [66.92.2.166]) by zmx1.isc.org (Postfix) with ESMTPSA id A121E16004B for <dane@ietf.org>; Tue, 18 Mar 2014 11:27:51 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 885B21190C03 for <dane@ietf.org>; Tue, 18 Mar 2014 22:26:47 +1100 (EST)
To: dane@ietf.org
From: Mark Andrews <marka@isc.org>
References: <alpine.LFD.2.10.1403171440540.32251@bofh.nohats.ca> <20140317222320.443521AC59@ld9781.wdf.sap.corp> <20140317225329.GK24183@mournblade.imrryr.org>
In-reply-to: Your message of "Mon, 17 Mar 2014 22:53:29 -0000." <20140317225329.GK24183@mournblade.imrryr.org>
Date: Tue, 18 Mar 2014 22:26:47 +1100
Message-Id: <20140318112647.885B21190C03@rock.dv.isc.org>
X-DCC--Metrics: post.isc.org; whitelist
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/EGdd7bs5MccmFTNVm177zvcWZ2Q
Subject: Re: [dane] Digest Algorithm Agility discussion
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Mar 2014 11:27:09 -0000

This whole argument of weakest vs strongest was had years ago in
DNSSEC and quite frankly is a waste of time trying to pick the
strongest as you are often comparing apples and oranges.

DNSSEC validators just have a way to say "we no longer trust this
algorithm" and once that is set all records with that algorithm are
ignored when doing validation regardless of whether there is code
to support that algorithm or not.

DANE implementations need a way to do the same for matching type.

Stop trying to over engineer this.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org