Re: [DNSOP] Working Group Last Call for: draft-ietf-dnsop-algorithm-update

fujiwara@jprs.co.jp Wed, 17 October 2018 21:18 UTC

Return-Path: <fujiwara@jprs.co.jp>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5912C130E00 for <dnsop@ietfa.amsl.com>; Wed, 17 Oct 2018 14:18:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5BknDOL6XpJn for <dnsop@ietfa.amsl.com>; Wed, 17 Oct 2018 14:18:05 -0700 (PDT)
Received: from off-send01.osa.jprs.co.jp (off-send01.osa.jprs.co.jp [IPv6:2001:218:3001:17::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 071AA130DF0 for <dnsop@ietf.org>; Wed, 17 Oct 2018 14:18:04 -0700 (PDT)
Received: from off-sendsmg01.osa.jprs.co.jp (off-sendsmg01.osa.jprs.co.jp [172.23.8.61]) by off-send01.osa.jprs.co.jp (8.14.4/8.14.4) with ESMTP id w9HLI3rF021852 for <dnsop@ietf.org>; Thu, 18 Oct 2018 06:18:03 +0900
Received: from off-sendsmg01.osa.jprs.co.jp (localhost [127.0.0.1]) by postfix.imss71 (Postfix) with ESMTP id A66EE1800B6 for <dnsop@ietf.org>; Thu, 18 Oct 2018 06:18:02 +0900 (JST)
Received: from localhost (off-cpu05.osa.jprs.co.jp [172.23.4.15]) by off-sendsmg01.osa.jprs.co.jp (Postfix) with ESMTP id 967C91800B2 for <dnsop@ietf.org>; Thu, 18 Oct 2018 06:18:02 +0900 (JST)
Date: Thu, 18 Oct 2018 06:18:02 +0900 (JST)
Message-Id: <20181018.061802.1574444586575789321.fujiwara@jprs.co.jp>
To: dnsop@ietf.org
From: fujiwara@jprs.co.jp
In-Reply-To: <20181016.000457.1043014259425988884.fujiwara@jprs.co.jp>
References: <CADyWQ+GqybVhe6c-L_LyFB4wQPxOhOfMy_uwv46nSc2Y5-7FEQ@mail.gmail.com> <CADyWQ+Eq5OV5gi90-oCgAJ53yQ6-pw6+Aa+jDyoMLF8dSoZY_A@mail.gmail.com> <20181016.000457.1043014259425988884.fujiwara@jprs.co.jp>
X-Mailer: Mew version 6.6 on Emacs 24.4 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-TM-AS-MML: disable
X-TM-AS-Product-Ver: IMSS-7.1.0.1690-8.2.0.1013-24162.002
X-TM-AS-Result: No--16.245-5.0-31-10
X-imss-scan-details: No--16.245-5.0-31-10
X-TMASE-MatchedRID: 3RAVi5XHW/RCXIGdsOwlUu5i6weAmSDKZggZX8gYmrWdCqKtxM6bh+1m KOWe7EC+rU9UlbZVrFNAiuXzE3e7CzIOxhnMLmABvHKClHGjjr0xmbT6wQT2a9x5dDqraCBKhXA r+h4GfTCogbLctSj8//5FVGiloCiGuyXwa/V5eQqxNxaTG4Ot0nyzymMiw5QHIFBEE5CFomIONn COtDoJBd1MCYJynNUueo8Y7LCQaK8YB2fOueQzjzl/1fD/GopdyJ1gFgOMhOmLvqs87Ydq5q1dD oojS9MYRHBmOnaJEu/EQdG7H66TyH4gKq42LRYkrjmvbMC0SlCiXpEZMzSsNGmYiMW3D8Bwp3HU /RTsFUd+3BndfXUhXQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/vbfOp3CxwJ4cRzTcLblqLxhpB6w>
Subject: Re: [DNSOP] Working Group Last Call for: draft-ietf-dnsop-algorithm-update
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Oct 2018 21:18:07 -0000

What I want to say about draft-ietf-dnsop-algorithm-update-02 are below:

1. About chapter composition

   If section 3.2 is "recommendations for operators",
   Section 3.1 and Section 3.3 are recommendations for software developpers
   and TLD/Root operators.

   # Sometimes TLD/Root do not accept newer algorithms and digests.

2. "recommendations for operators" section

   Section 3.2 lacks texts about RSASHA256 and other algorithms.
   Currently, both RSASHA256 and ECDSAP256SHA256 are first choices
   for operators.

3. texts about DS (and CDS) algorithms recommendation for operators needed

   In section 3.2 or 3.3, please add SHA-256 is necessary and enough
   DS algorithm for operators now.

4. In my opinion, Ed25519 is best algorithm some yars later.
   If the document describes both current RECOMMENDATIONS and
   RECOMMENDATIONS some years later, we can plan.

Regards,

--
Kazunori Fujiwara, JPRS <fujiwara@jprs.co.jp>;

> From: fujiwara@jprs.co.jp
> WGLC comment to draft-ietf-dnsop-algorithm-update-02
> 
> Section 3.2 is "recommendations for operators".
> 
> There is texts that discuss ECDSAP256SHA256 only in section 3.2.
> However, RSASHA256 is still usable.
> Please add text about other algorithms.
> if there is a table similar to section 3.1, it will help operators.
> 
> For example,
>                  choice of                | choice of
>                  sigining algorithm (now) | sigining algorithm (2 years Later)
>   ----------------------------------------------------------------------------
>   RSASHA1*        MUST NOT                | MUST NOT
>   RSASHA256       usable                  | usable/consider change to EC*/Ed*
>   ECDSAP256*      usable                  | usable
>   Ed25519         MAY                     | usable
> 
> 
> Regards,
> 
> --
> Kazunori Fujiwara, JPRS <fujiwara@jprs.co.jp>;
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>