Re: [dane] Digest Algorithm Agility discussion

Viktor Dukhovni <viktor1dane@dukhovni.org> Tue, 18 March 2014 14:14 UTC

Date: Tue, 18 Mar 2014 14:13:56 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140318141356.GO24183@mournblade.imrryr.org>
References: <alpine.LFD.2.10.1403171440540.32251@bofh.nohats.ca> <20140317222320.443521AC59@ld9781.wdf.sap.corp> <20140317225329.GK24183@mournblade.imrryr.org> <20140318112647.885B21190C03@rock.dv.isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20140318112647.885B21190C03@rock.dv.isc.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/UtgIpagR4vgH8mA_fQHac19C2Zc
Subject: Re: [dane] Digest Algorithm Agility discussion
Precedence: list
Reply-To: dane@ietf.org

On Tue, Mar 18, 2014 at 10:26:47PM +1100, Mark Andrews wrote:

> This whole argument of weakest vs strongest was had years ago in
> DNSSEC and quite frankly is a waste of time trying to pick the
> strongest as you are often comparing apples and oranges.

The client ranks the algorithms by preference, in much the same
way that TLS ranks cipher-suites by preference and in TLSv1.2 even
signature algorithms by preference.  It does not matter whether
the rankings are objectively justified.  The client uses its most
preferred digest (perhaps it has hardware support for it).

> DNSSEC validators just have a way to say "we no longer trust this
> algorithm" and once that is set all records with that algorithm are
> ignored when doing validation regardless of whether there is code
> to support that algorithm or not.

If things are as you describe, this works poorly, since clients
continue to accept weak signatures on zones that have both strong
and weak signatures (RSA/SHA1 and RSA/SHA256) if the strong signature
fails to match the client trusts the weak, right?

It becomes difficult to phase out a weak algorithm because the
incentive to publish the strong along with the weak is reduced
as the benefit from doing so is delayed until clients actually
discontinue the weak algorithm.

-- 
	Viktor.

[dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Paul Wouters
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Paul Hoffman
Re: [dane] Digest Algorithm Agility discussion Paul Wouters
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Paul Hoffman
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Paul Wouters
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Paul Hoffman
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Martin Rex
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Mark Andrews
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion (c… Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Jim Schaad
Re: [dane] Digest Algorithm Agility discussion (c… Paul Hoffman
Re: [dane] Digest Algorithm Agility discussion (c… Andrew Sullivan
Re: [dane] Digest Algorithm Agility discussion (c… Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion (c… Scott Rose
Re: [dane] Digest Algorithm Agility discussion (c… Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion (c… Scott Rose
Re: [dane] Digest Algorithm Agility discussion Wes Hardaker
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Peter Palfrader
Re: [dane] Digest Algorithm Agility discussion Mark Andrews
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Mark Andrews
Re: [dane] Digest Algorithm Agility discussion Peter Palfrader
Re: [dane] Digest Algorithm Agility discussion Mark Andrews
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Peter Palfrader
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Mark Andrews
Re: [dane] Digest Algorithm Agility discussion Mark Andrews
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Paul Wouters
Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
Re: [dane] Digest Algorithm Agility discussion Peter Palfrader
Re: [dane] Digest Algorithm Agility discussion Wes Hardaker
Re: [dane] Digest Algorithm Agility discussion Wes Hardaker