IETF Logo Mail Archive

Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost

Philip Homburg <pch-dnsop-5@u-1.phicoh.com> Tue, 30 April 2024 15:02 UTC

Return-Path: <pch-b538D2F77@u-1.phicoh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33C1EC14F6F2 for <dnsop@ietfa.amsl.com>; Tue, 30 Apr 2024 08:02:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kYdobhUR95bx for <dnsop@ietfa.amsl.com>; Tue, 30 Apr 2024 08:02:38 -0700 (PDT)
Received: from stereo.hq.phicoh.net (stereo.hq.phicoh.net [IPv6:2a10:3781:2413:1:2a0:c9ff:fe9f:17a9]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CF25C14F619 for <dnsop@ietf.org>; Tue, 30 Apr 2024 08:02:38 -0700 (PDT)
Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (TLS version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305) (Smail #158) id m1s1p08-0000LZC; Tue, 30 Apr 2024 17:02:36 +0200
Message-Id: <m1s1p08-0000LZC@stereo.hq.phicoh.net>
To: dnsop@ietf.org
Cc: Paul Wouters <paul@nohats.ca>
From: Philip Homburg <pch-dnsop-5@u-1.phicoh.com>
Sender: pch-b538D2F77@u-1.phicoh.com
References: <D95A2D1F-1203-4434-B643-DDFB5C24A161@icann.org> <67B93EF4-6B70-402E-9D78-1A079538CA18@strandkip.nl> <m1s1Wur-0000LDC@stereo.hq.phicoh.net> <f0f9c0ce-2911-9b4c-0d60-47c204add2d4@nohats.ca> <m1s1mGR-0000PPC@stereo.hq.phicoh.net> <fbce2996-346f-29fa-3534-45eaa142b96e@nohats.ca> <m1s1oHu-0000LZC@stereo.hq.phicoh.net> <0a9a6466-0e66-8c1c-2133-34da5eb52812@nohats.ca>
In-reply-to: Your message of "Tue, 30 Apr 2024 10:43:44 -0400 (EDT) ." <0a9a6466-0e66-8c1c-2133-34da5eb52812@nohats.ca>
Date: Tue, 30 Apr 2024 17:02:36 +0200
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xjPdHL_39bxNXQ3VDE3n_uYCJ0g>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2024 15:02:40 -0000

>- FIPS
>- PCI-DSS
>- BSI
>- OWASP
>- SOC2
>- PKI-industry & CAB/Forum
>- TLS, IPsec/IKE, OpenPGP, SMIME, et all at IETF.
>- All the cryptographers including CFRG

The problem is that none if them did an impact analysis for this draft.

Yes of course, in isolation it is good to move away from SHA1. Nobody
says SHA1 is great, we should promote it. RFC 8624 already says that
algorithms 5 and 7 are not recommended for signing.

However, going ahead and breaking things is something different. And that
is exactly what is proposed here. And that is something that doesn't give
security benefits. Just a reduction of security in the name of crypto purity.

v2.34.0 | Report a Bug | By Email | System Status