Re: [dnsext] draft-ietf-dnsext-dnssec-algo-signal-07.txt

Paul Hoffman <paul.hoffman@vpnc.org> Tue, 17 July 2012 16:23 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9A2121F85B4; Tue, 17 Jul 2012 09:23:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1342542198; bh=qjdZK3slotc3qQLlE8XRAX1aNgi/sQ0V/56sg+xYH0Q=; h=Mime-Version:From:In-Reply-To:Date:Message-Id:References:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=k/ST4W+UR0GadeZmOikwy1GXy5nmEPUWWxjM5zrlSBIu+3bDQD8GYVjrculGhrSPs f36g6W8G54ZSI5Hqc/JjHlgM4SV84dtzWm5l6chzvbhigLFEFip9USKonog7m3myuX 3rjZckfZK7sV5ayqpFe6Mt8TBL1+5lVnaXwCrboI=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAC0C21F85B4 for <dnsext@ietfa.amsl.com>; Tue, 17 Jul 2012 09:23:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.429
X-Spam-Level:
X-Spam-Status: No, score=-102.429 tagged_above=-999 required=5 tests=[AWL=-0.130, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IgtR9qFL2C8z for <dnsext@ietfa.amsl.com>; Tue, 17 Jul 2012 09:23:15 -0700 (PDT)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 2190C21F8551 for <dnsext@ietf.org>; Tue, 17 Jul 2012 09:23:15 -0700 (PDT)
Received: from [10.20.30.102] (50-1-50-97.dsl.dynamic.fusionbroadband.com [50.1.50.97]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id q6HFbuFX077517 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 17 Jul 2012 08:37:57 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0 (Apple Message framework v1278)
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <6EC11B57-B164-4214-AADE-E552D9B21753@frobbit.se>
Date: Tue, 17 Jul 2012 09:23:55 -0700
Message-Id: <85D2BE55-4028-468E-A07B-4F3B7406B68A@vpnc.org>
References: <6EC11B57-B164-4214-AADE-E552D9B21753@frobbit.se>
To: Patrik Fältström <patrik@frobbit.se>
X-Mailer: Apple Mail (2.1278)
Cc: dnsext@ietf.org
Subject: Re: [dnsext] draft-ietf-dnsext-dnssec-algo-signal-07.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Jul 17, 2012, at 6:00 AM, Patrik Fältström wrote:

> As this was announced on June 14, 2012, and Scott Rose immediately followed up with an announcement (http://www.ietf.org/mail-archive/web/dnsext/current/msg12514.html) and there have been exactly zero comments I am a bit shy of declaring victory.
> 
> Can I get please at least three people that have seen this version, read it, and support it moving forward (part from myself and the authors of the document?

I have read the document and think it may be ready for IETF review, but it also might not. Section 3 still says:
   The
   validating end-system resolver sets the value(s) in the order of
   preference, with the most preferred algorithm(s) first as described
   in section 2.
It does not say how a resolver choses the order of preference, probably because they have no frigging idea how to measure that. How can one express a preference between RSA and ECDSA, for example, without knowing the RSA key length? Worse, how can you even have a preference when what you really have is a list of algorithms that you fully accept and a list that you fully reject?

My preference remains the same: get rid of this ordering, stop pretending that people who run resolvers care about this as much as security geeks do, and stop suggesting to people that they should care about something they do not understand. But if the WG wants to leave this in, no significant harm will be done.

--Paul Hoffman
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext