[DNSOP] Re: Mike Bishop's No Objection on draft-ietf-dnsop-must-not-sha1-06: (with COMMENT)
Wes Hardaker <wjhns1@hardakers.net> Tue, 20 May 2025 22:25 UTC
Return-Path: <wjhns1@hardakers.net>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 7CD402AEB36B; Tue, 20 May 2025 15:25:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=hardakers.net
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5WjHGhbkkI-z; Tue, 20 May 2025 15:25:53 -0700 (PDT)
Received: from mail.hardakers.net (mail.hardakers.net [107.220.113.177]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id C696E2AEB362; Tue, 20 May 2025 15:25:53 -0700 (PDT)
Received: from localhost (unknown [10.0.0.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.hardakers.net (Postfix) with ESMTPSA id D915E206CA; Tue, 20 May 2025 15:25:52 -0700 (PDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.hardakers.net D915E206CA
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardakers.net; s=default; t=1747779952; bh=HW2LbdF5yT8KUXcEi47+YkQDLYLz5aCc1qsWjQCGLzA=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=bgQqWjvl+1BfH+mUkwMB04oj7eUar9P3Cs/7D8d2H8FyND3ui4TG0PoDejv10Fctw vCAoaGyIDKYcq1C3bZODYmQ31oC6rCvGNsXdQLPRjV9KzYJnRRXjHA+WOeL2HeWROe S8ELbVQIdEjERdzhecE4p4/3375wLaZnHfUhTqfo=
From: Wes Hardaker <wjhns1@hardakers.net>
To: Mike Bishop via Datatracker <noreply@ietf.org>
In-Reply-To: <174767243139.310160.5719310416177616736@dt-datatracker-59b84fc74f-84jsl> (Mike Bishop via Datatracker's message of "Mon, 19 May 2025 09:33:51 -0700")
References: <174767243139.310160.5719310416177616736@dt-datatracker-59b84fc74f-84jsl>
Date: Tue, 20 May 2025 15:25:52 -0700
Message-ID: <yblcyc2dimn.fsf@wd.hardakers.net>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
Message-ID-Hash: H4BCYEJJKS62LLY6GU4JISD3TQPOFJOD
X-Message-ID-Hash: H4BCYEJJKS62LLY6GU4JISD3TQPOFJOD
X-MailFrom: wjhns1@hardakers.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The IESG <iesg@ietf.org>, Mike Bishop <mbishop@evequefou.be>, draft-ietf-dnsop-must-not-sha1@ietf.org, dnsop-chairs@ietf.org, dnsop@ietf.org, tjw.ietf@gmail.com
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Mike Bishop's No Objection on draft-ietf-dnsop-must-not-sha1-06: (with COMMENT)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/T6wr-I6rnqSIFaH0gedPCWJYJ7I>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
Mike Bishop via Datatracker <noreply@ietf.org> writes: Hi Mike, Thanks for the comments. Some responses inline: > CURRENT: DNSSEC [RFC9364] originally [RFC3110] made extensive use of SHA-1 as a > cryptographic hash algorithm in RRSIG and Delegation Signer (DS) records, for > example. CONSIDER: DNSSEC [RFC9364] originally [RFC3110] made extensive use of > SHA-1, for example as a cryptographic hash algorithm in RRSIG and Delegation > Signer (DS) records. > > "are now" => "have become" Changed! (your the second to suggest it, thanks) > Section 2: > > "MAY wish to" requires an RFC6919 reference (see > https://datatracker.ietf.org/doc/html/rfc6919#section-6) and associated > boilerplate. Instead, "MAY" is sufficient here. However, that seems in direct > contradiction to the MUST in the first sentence. Is the intended sense here > that implementations MUST retain the ability to validate, but SHOULD/MAY > disable it by default? The first sentence is in reference to implementers, and the second operators ("deployed"). So they are indeed different. I've dropped the "wish to" though. Thanks for pointing that out. -- Wes Hardaker USC/ISI
- [DNSOP] Mike Bishop's No Objection on draft-ietf-… Mike Bishop via Datatracker
- [DNSOP] Re: Mike Bishop's No Objection on draft-i… Wes Hardaker