IETF Logo Mail Archive

Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost

Philip Homburg <pch-dnsop-5@u-1.phicoh.com> Mon, 29 April 2024 19:44 UTC

Return-Path: <pch-b538D2F77@u-1.phicoh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BF51C15155A for <dnsop@ietfa.amsl.com>; Mon, 29 Apr 2024 12:44:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.897
X-Spam-Level:
X-Spam-Status: No, score=-6.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xC3UhWr6eHFi for <dnsop@ietfa.amsl.com>; Mon, 29 Apr 2024 12:44:01 -0700 (PDT)
Received: from stereo.hq.phicoh.net (stereo.hq.phicoh.net [45.83.6.19]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FD33C14F68E for <dnsop@ietf.org>; Mon, 29 Apr 2024 12:43:59 -0700 (PDT)
Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (TLS version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305) (Smail #158) id m1s1Wur-0000LDC; Mon, 29 Apr 2024 21:43:57 +0200
Message-Id: <m1s1Wur-0000LDC@stereo.hq.phicoh.net>
To: dnsop@ietf.org
Cc: Joe Abley <jabley@strandkip.nl>
From: Philip Homburg <pch-dnsop-5@u-1.phicoh.com>
Sender: pch-b538D2F77@u-1.phicoh.com
References: <D95A2D1F-1203-4434-B643-DDFB5C24A161@icann.org> <67B93EF4-6B70-402E-9D78-1A079538CA18@strandkip.nl>
In-reply-to: Your message of "Mon, 29 Apr 2024 08:33:57 +0200 ." <67B93EF4-6B70-402E-9D78-1A079538CA18@strandkip.nl>
Date: Mon, 29 Apr 2024 21:43:56 +0200
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3etYPRoayqgdynxdLlWf3Nm-H4U>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Apr 2024 19:44:03 -0000

>I also don't think that simple, procedural documents that are straightforwardl
>y-written and uncontentious ought to present a big drain on the resources of t
>he working group. I think if we all tried really hard not to nitpick or to pla
>y amateur copy-editors we could probably last-call simple documents quite quic
>kly and move on with our lives. 

I don't know anything about ghost, but there is one thing I worry about
when it comes to SHA1.

As far as I know there is no second pre-image attack on SHA1, and there
will not be one in the foreseeable future.

So if we deprecate SHA1 for validators, and assuming validators will follow
this advice, and some platforms already stopped validating SHA1, then there
may be zones that are mostly secure today that become insecure or bogus
when we are done with the draft.

That doesn't seem to be a simple procedural discussion.

v2.39.1 | Report a Bug | By Email | System Status