Re: draft-ietf-dnsext-dnssec-gost

Olafur Gudmundsson <> Thu, 11 February 2010 20:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1952228C11E for <>; Thu, 11 Feb 2010 12:10:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.751
X-Spam-Status: No, score=-2.751 tagged_above=-999 required=5 tests=[AWL=-0.152, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cdYkEaIFaluW for <>; Thu, 11 Feb 2010 12:10:37 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 004CA28C220 for <>; Thu, 11 Feb 2010 12:10:36 -0800 (PST)
Received: from [IPv6:::1] ( []) by (8.14.3/8.14.3) with ESMTP id o1BKBS2a052050; Thu, 11 Feb 2010 15:11:28 -0500 (EST) (envelope-from
Message-ID: <>
Date: Thu, 11 Feb 2010 15:11:27 -0500
From: Olafur Gudmundsson <>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv: Gecko/20100111 Thunderbird/3.0.1
MIME-Version: 1.0
Subject: Re: draft-ietf-dnsext-dnssec-gost
References: <p06240806c799d87e7406@[]>
In-Reply-To: <p06240806c799d87e7406@[]>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.67 on
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 11 Feb 2010 20:10:38 -0000

On 11/02/2010 12:57 PM, Stephen Kent wrote:
> I recommend that the document not be approved by the IESG in its current
> form. Section 6.1 states:
>> 6.1. Support for GOST signatures
>> DNSSEC aware implementations SHOULD be able to support RRSIG and
>> DNSKEY resource records created with the GOST algorithms as
>> defined in this document.
> There has been considerable discussion on the security area directorate
> list about this aspect of the document. All of the SECDIR members who
> participated in the discussion argued that the text in 6.1 needs to be
> changed to MAY from SHOULD. The general principle cited in the
> discussion has been that "national" crypto algorithms like GOST ought
> not be cited as MUST or SHOULD in standards like DNESEC. I refer
> interested individuals to the SECDIR archive for details of the discussion.
> (
> Steve

As a document shepeard I have made note that this is desired, but at
the same time this is a topic that was outside the scope of the working
This is on the other hand a topic that belongs in the IETF review.

So my questions to the IETF (paraphrashing George Orwell)

"Are all crypto algorithms equal, but some are more equal than others?"

Who gets to decide on what algorithms get first class status and based 
on what criteria?

Steve brought up "national" algorithm, but we have also "personal" 
algorithms such as curve25519 or threefish.