IETF Logo Mail Archive

Re: [DNSOP] Call for Adoption draft-wouters-sury-dnsop-algorithm-update

"Paul Hoffman" <paul.hoffman@vpnc.org> Tue, 28 February 2017 21:45 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49FD51296B4 for <dnsop@ietfa.amsl.com>; Tue, 28 Feb 2017 13:45:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rlxE8i4sB_3q for <dnsop@ietfa.amsl.com>; Tue, 28 Feb 2017 13:45:08 -0800 (PST)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C29B8129537 for <dnsop@ietf.org>; Tue, 28 Feb 2017 13:45:08 -0800 (PST)
Received: from [10.32.60.87] (142-254-101-176.dsl.dynamic.fusionbroadband.com [142.254.101.176]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id v1SLj5gF020172 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <dnsop@ietf.org>; Tue, 28 Feb 2017 14:45:06 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 142-254-101-176.dsl.dynamic.fusionbroadband.com [142.254.101.176] claimed to be [10.32.60.87]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: dnsop <dnsop@ietf.org>
Date: Tue, 28 Feb 2017 13:45:06 -0800
Message-ID: <85834F4E-C2BB-4912-8275-3C006B1E41F3@vpnc.org>
In-Reply-To: <alpine.LRH.2.20.1702281627360.22841@bofh.nohats.ca>
References: <78013346-6100-f7e6-a3c8-87d2f92533d8@gmail.com> <F40B69DF-6391-4008-A7CD-C85277952D8A@dnss.ec> <alpine.LRH.2.20.1702281627360.22841@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.6r5347)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/u2yN0u6MmiR_lDNjNr9Gyk-IWKo>
Subject: Re: [DNSOP] Call for Adoption draft-wouters-sury-dnsop-algorithm-update
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Feb 2017 21:45:10 -0000

The recommendations in the document are completely unclear if it is 
talking about:

- what should be in signer implementations
- what should be in validator implementations
- what someone who is starting to sign today SHOULD/MUST use
- what someone who is already signing SHOULD/MUST use

I think those four lists are probably different. Before the document is 
picked up by the WG, it would be good if it made clear which lists it is 
for.

My personal feeling is that if we do the third, we should say MUST NOT 
with any SHA1 algorithm because they're going to get nailed in the 
future by people who refuse to validate it. If we do the fourth, I would 
say SHOULD NOT use now and SHOULD change within two years (or some moral 
equivalent of that).

--Paul Hoffman

v2.14.0 | Report a Bug | By Email