Re: [dnsext] Clarifying the mandatory algorithm rules

["Jeffrey A. Williams" <jwkckid1@ix.netcom.com>]

Florian and all,

SHA-1 was broken aroud 3 years ago now.  1024k keysize was
not long ago broken by the University of Mich. 


-----Original Message-----
>From: Florian Weimer <fweimer@bfk.de>
>Sent: Nov 18, 2010 8:05 AM
>To: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
>Cc: dnsext@ietf.org
>Subject: Re: [dnsext] Clarifying the mandatory algorithm rules
>
>* W. C. A. Wijngaards:
>
>> That is what unbound does.  And it gets algorithm downgrade protection
>> security as a benefit (for the algorithms that it implements).
>
>And I don't see any other way to get a priori downgrade protection.
>There is no ordering of algorithm strengths.  For example, we don't
>know if SHA-1 or SHA-256 will be broken first.
>
>A posterio, you can drop validation for known-to-be-broken algorithms.
>But even that might be not so easy because it's somewhat subjective
>when an algorithm is broken.
>
>-- 
>Florian Weimer                <fweimer@bfk.de>
>BFK edv-consulting GmbH       http://www.bfk.de/
>Kriegsstraße 100              tel: +49-721-96201-1
>D-76133 Karlsruhe             fax: +49-721-96201-99
>_______________________________________________
>dnsext mailing list
>dnsext@ietf.org
>https://www.ietf.org/mailman/listinfo/dnsext

Regards,
Jeffrey A. Williams
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is very
often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B; liability
depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
Network Eng. SR. Eng. Network data security
ABA member in good standing member ID 01257402 
E-Mail jwkckid1@ix.netcom.com
Phone: 214-244-4827