Re: [secdir] review of draft-ietf-dnsext-dnssec-gost-05

Jeffrey Hutzelman <> Thu, 11 February 2010 17:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F28EF3A7760 for <>; Thu, 11 Feb 2010 09:54:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.465
X-Spam-Status: No, score=-6.465 tagged_above=-999 required=5 tests=[AWL=0.134, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qBCZCGrlStF6 for <>; Thu, 11 Feb 2010 09:54:47 -0800 (PST)
Received: from (SMTP01.SRV.CS.CMU.EDU []) by (Postfix) with ESMTP id E64013A73F1 for <>; Thu, 11 Feb 2010 09:54:46 -0800 (PST)
Received: from LYSITHEA.FAC.CS.CMU.EDU (LYSITHEA.FAC.CS.CMU.EDU []) (authenticated bits=0) by (8.13.6/8.13.6) with ESMTP id o1BHthAY007203 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 11 Feb 2010 12:55:43 -0500 (EST)
Date: Thu, 11 Feb 2010 12:55:43 -0500
From: Jeffrey Hutzelman <>
To: Stephen Kent <>, Basil Dolmatov <>
Message-ID: <>
In-Reply-To: <28397_1265905809_o1BGU87p018787_p0624080cc799df651250@[]>
References: <p06240810c76be77be756@[]> <> <p06240818c76c1a38cbf8@[]> <> <> <p0624080bc78249fa2c22@[]> <> <p06240801c7837dde3143@[]> <> <28397_1265905809_o1BGU87p018787_p0624080cc799df651250@[]>
X-Mailer: Mulberry/4.0.8 (Linux/x86)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Scanned-By: mimedefang-cmuscs on
Cc: Andrew Sullivan <>,,, Ralph Droms <>
Subject: Re: [secdir] review of draft-ietf-dnsext-dnssec-gost-05
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 11 Feb 2010 17:54:48 -0000

--On Thursday, February 11, 2010 11:29:55 AM -0500 Stephen Kent 
<> wrote:

> At 9:06 PM +0300 2/10/10, Basil Dolmatov wrote:
>>> ...
>> Good shift in modal verbs <girn>.
>> I am fully agree that implementations "ought to have" but not "must
>> have" a code.
>> This is the difference between MUST and SHOULD as I understand it.
>> If SHOULD is used then "it is advised to have a code", but you can
>> omit it (after "careful weighting") and still be compliant.
>> If MUST is used - then you must have a code, otherwise you are not
>> compliant. No options. Period.
> I think Andrew's characterization is better than mine, and his follow-up
> message to you provied good examples.
>> ...
>>> We're debating the issue of how broad a set of algorithms
>>> MUST/SHOULD be supported by RPs, which is an architectural (and
>>> political) issue.
>> Having no means to inform other side about algorithms used is the
>> thing that differs SIDR from DNSSec.
> I agree that there is a big difference between protocols where one can
> discover or negotiate protocol options and ones where this is not the
> case. But I believe that SIDR and DNESEC are pretty much the same in this
> respect. Both the RPKI and DNSSEC publish data that discloses what algs
> the publisher has chosen to employ. Relying parties either accommodate
> those choices or they do not make use of the signed data.
>>> ...
>>> I'm glad we agree on this. Since SHOULD is only a
>>> slightly-diminished form of MUST, ...
>> Either SHOULD is the synonym of MUST and then the question rises
>> what it is present for if there is no real difference between it and
>> MUST (it "should" <grin> be named as obsolete), or SHOULD has it's
>> own meaning and should not be treated in discussions as MUST
>> equivalent.
> See Andrew's message, to which Im alluded above.
>>> ...
>> I want to make a reservation that I am not native English speaking
>> person, so sometimes I use only literal meaning of the words when
>> writing (and reading).
>> In order to clarify I will use an example from my profession (I am a
>> physicist):
>> Imagine that one astronomer will estimate the orbit of some comet
>> and say that "It is likely to hit the Earth".
>> Will it be the "threat" from the astronomer to the Earth? No, I
>> think that it will be just a "warning note", because the astronomer
>> have no influence on this process, he can only calculate the orbits
>> of comets.
>> Definitely, some people could say that "this astronomer threats us
>> with this comet", but it seems obvious that it is not the case. ;)
> OK. I'll interpret your comment as a comet warning :-).
>>>> Maybe this is the way the DNS system will develop, but now I think
>>>> that the some effort to keep the DNS system united is justified.
>>> Unified is a goal we both agree upon, but mandated support for
>>> national algorithms is NOT a unifying principle, it is a
>>> Balkanizing principle (if you'll pardon the term).
>> I am not familiar with this term and once more I object against
>> putting the equal sign between MUST and SHOULD modal verbs.
>> I still think that there is a significant difference between them
>> which is worth keeping both of these verbs in the list of
>> instruments of IETF standards description.
>> So, noone is talking about "mandated support" (which means MUST),
>> the bottom line is "to encourage support".
> MUST and SHOULD are not the same, but they are no so different as you
> seem to suggest.

It might be helpful for everyone to remember that while English has fairly 
loose definitions of "must" and "should", in this context MUST and SHOULD 
have precisely the meanings given them by RFC2119.  In particular, SHOULD 
is not mere advice or encouragement; it is a requirement almost as strong 
as MUST.  It doesn't mean "we think it's a good idea for you to do this"; 
it means "you absolutely have to do this unless...".

-- Jeff