Re: [dnsext] I-D Action: draft-ietf-dnsext-dnssec-algo-imp-status-04.txt

[Samuel Weiler <weiler@watson.org>]

The substance is fine, but there's a preexisting ambiguity that the 
-04 changes arguably make worse:

Quoting from section 2.2:
"...RSASHA1-NSEC3-SHA1 is set to Recommended..."
"...RSA/SHA-256 and RSA/SHA-512 are also set to Recommended..."
"ECDSAP256SHA256 and ECDSAP384SHA384 are Recommended to Implement."...
"All other algorithms used in DNSSEC specified without an
implementation status are currently set to Optional."

The last sentence is the troubling one.  I think you mean "where no 
other document has set an implementation status", but that's somewhat 
vague, and it would be reasonable to interpret the doc as saying "and 
everything else is Optional", which is not what we intend.

There's a sentence in the introduction that argues for the second 
interpretation: "This document defines the current implementation 
status for _all_ registered algorithms." (emphasis added)


This version (-04) has a new sentence in section 4 saying: "...this 
document establishes the implementation status of every algorithm, 
...", which makes that alternate reading even more tempting.

I think something needs to change.  Most likely, we just need to 
restate in the text (not just the table) the status of RSASHA1 and 
RSAMD5.

Also, shouldn't the indirect, private, and privateoid text replace "up 
to the implementer's discretion" with "Optional"?  It's good to call 
out that these numbers could refer to multiple algoriths, as is done.

-- Sam