Re: draft-ietf-dnsext-dnssec-gost

Stephen Kent <> Mon, 15 February 2010 14:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7C9F028C1AC for <>; Mon, 15 Feb 2010 06:42:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.382
X-Spam-Status: No, score=-2.382 tagged_above=-999 required=5 tests=[AWL=0.217, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NjeQL-cjK1CS for <>; Mon, 15 Feb 2010 06:42:53 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 3BA6F3A71A6 for <>; Mon, 15 Feb 2010 06:42:53 -0800 (PST)
Received: from ([] helo=[]) by with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <>) id 1Nh2BT-000DHM-Bt; Mon, 15 Feb 2010 09:44:23 -0500
Mime-Version: 1.0
Message-Id: <p06240808c79b3c5ffff5@[]>
In-Reply-To: <>
References: <p06240806c799d87e7406@[]> <> <p06240805c79b294d87a8@[]> <>
Date: Mon, 15 Feb 2010 09:44:16 -0500
To: David Conrad <>
From: Stephen Kent <>
Subject: Re: draft-ietf-dnsext-dnssec-gost
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc:, Olafur Gudmundsson <>,
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 15 Feb 2010 14:42:54 -0000

At 8:50 AM -0800 2/12/10, David Conrad wrote:
>On Feb 12, 2010, at 7:57 AM, Stephen Kent wrote:
>>>  Who gets to decide on what algorithms get first class status and 
>>>based on what criteria?
>>  If we look at what the CP developed in the SIDR WG for the RPKI 
>>says, the answer is the IESG
>So, they're going to flip a coin or what?
>"Who" is largely irrelevant.  The criteria is the interesting bit.

Both issues are relevant. Most of the other WGs dealing with this 
issue have been in  the secruity area and feel comfortable making 
these decisions. The IESG has been comfortable with their decisions. 
Note that change have been made, for other than technical reasons, 
e.g., initially TLS had DH 7 DSA as MUST and RSA as SHOULD, because 
of patent issues.  When the RSA patent expired, the roles were 
reversed. So the IESG has been an active participant in these 
decisions in the past.

>  >> Steve brought up "national" algorithm, but we have also 
>"personal" algorithms such as curve25519 or threefish.
>>  WGs like IPsec, TLS, and SMIME have been able to say no to 
>>"personal" algs for a long time.
>IPsec, TLS, and SMIME are all one-to-one.  DNSSEC (in this context) 
>is one-to-many.

Your observation is applicable to IPsec, not to S/MIME, and, for 
practical purposes, not for TLS.  An S/MIME message may be sent to 
multiple recipients, so it is not literally one-to-one. S/MIME 
accommodates algorithm diversity best for the public key algorithms 
used to encrypt the content encryption key.  It also can accommodate 
diversity for the algorithm used to sign the message, but at a higher 
cost. It does poorly if different recipients make use of different 
content encryption algorithms. TLS is nominally 1-1, but in reality, 
the vast majority of TLS use is for access to web sites that have a 
very diverse set of clients. That requires a small set of mandatory 
algorithms, to ensure interoperability.  Finally, the question  posed 
was about how have decisions on which algorithms are mandatory to 
implement have been decided in the IETF in the past. My reply 
addressed that question.