[secdir] Secdir telechat review of draft-ietf-dnsop-must-not-sha1-06
Yoav Nir via Datatracker <noreply@ietf.org> Sun, 13 April 2025 18:01 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@mail2.ietf.org
Received: from [10.244.8.129] (unknown [104.131.183.230]) by mail2.ietf.org (Postfix) with ESMTP id 9AD8D1B71490; Sun, 13 Apr 2025 11:01:37 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Yoav Nir via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 12.38.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <174456729746.1092700.17067299429211037310@dt-datatracker-64c5c9b5f9-hz6qg>
Date: Sun, 13 Apr 2025 11:01:37 -0700
Message-ID-Hash: NRFFYRIEC37ZEJNFQDMZCUKKPMNVWMC3
X-Message-ID-Hash: NRFFYRIEC37ZEJNFQDMZCUKKPMNVWMC3
X-MailFrom: noreply@ietf.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org, draft-ietf-dnsop-must-not-sha1.all@ietf.org, last-call@ietf.org
X-Mailman-Version: 3.3.9rc6
Reply-To: Yoav Nir <ynir.ietf@gmail.com>
Subject: [secdir] Secdir telechat review of draft-ietf-dnsop-must-not-sha1-06
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/YCagRk5T0qkbi_3hlfRT6ddiU7A>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>
Document: draft-ietf-dnsop-must-not-sha1 Title: Deprecating the use of SHA-1 in DNSSEC signature algorithms Reviewer: Yoav Nir Review result: Ready The document is fine as it is. I will say that the Security Considerations section is a bit strange: This document deprecates the use of RSASHA1 and RSASHA1-NSEC3-SHA1 signatures since they are no longer considered to be secure. But that is a common problem with documents like this that deprecate existing algorithms or protocol options for security reasons. Some documents got around this by claiming that the whole document is security considerations. For example, a draft of RFC 7568 (deprecating SSLv3) said: This entire document aims to improve security by prohibiting the use of a protocol that is not secure. But they toned it down for the final RFC. Anyway, it's fine as it is.
- [secdir] Secdir telechat review of draft-ietf-dns… Yoav Nir via Datatracker
- [secdir] Re: Secdir telechat review of draft-ietf… Wes Hardaker