Re: [secdir] review of draft-ietf-dnsext-dnssec-gost-05

Andrew Sullivan <ajs@shinkuro.com> Fri, 08 January 2010 14:44 UTC

Date: Fri, 08 Jan 2010 09:44:31 -0500
From: Andrew Sullivan <ajs@shinkuro.com>
To: Stephen Kent <kent@bbn.com>
Message-ID: <20100108144431.GB26259@shinkuro.com>
References: <p06240810c76be77be756@[128.89.89.161]> <20100107222809.GA25747@shinkuro.com> <p06240818c76c1a38cbf8@[128.89.89.161]>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <p06240818c76c1a38cbf8@[128.89.89.161]>
User-Agent: Mutt/1.5.18 (2008-05-17)
Cc: Ralph Droms <rdroms@cisco.com>, dol@cryptocom.ru, ogud@ogud.com, secdir@ietf.org
Subject: Re: [secdir] review of draft-ietf-dnsext-dnssec-gost-05
Precedence: list

On Fri, Jan 08, 2010 at 09:07:24AM -0500, Stephen Kent wrote:
>
> For S/MIME and OPGP there is a requirement that, ultimately, the  
> receiver has some way to verify the cert associated with the sender.  
> However, it is common for senders to sign messages that are send to  
> mailing lists where the sender has no way of knowing what algorithms all 
> the receivers support. So, your analysis for this case is off the mark. 

This is a good point.  Thanks.

> Rather it makes sense to have a very limited number of algorithm suites 
> that MUST (or SHOULD) be implemented. My recommendation is to limit 
> mandated (MUST or SHOULD) support to just two: current and next.

Hrm.  Well, we already violate this recommendation, I think, but I
take your point.

> BTW, we have had this discussion in SIDR, where the RPKI has a similar 
> global scope and where Vasily had made a similar request for recognition 
> of GOST algorithms. So far, that WG has said no, for the reasons I cited 
> in my comments and above. The current plan there is to go with the two 
> suite model I described above.

Ok.  Thanks for this; it's useful feedback.

Best,

A

-- 
Andrew Sullivan
ajs@shinkuro.com
Shinkuro, Inc.

Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Andrew Sullivan
[secdir] review of draft-ietf-dnsext-dnssec-gost-… Stephen Kent
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Stephen Kent
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Andrew Sullivan
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Paul Hoffman
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Uri Blumenthal
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Andrew Sullivan
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Paul Hoffman
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… David McGrew
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Nicolas Williams
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Eric Rescorla
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Stephen Kent
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Basil Dolmatov
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Basil Dolmatov
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Uri Blumenthal
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Sandra Murphy
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Sandra Murphy
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Stephen Kent
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Nicolas Williams
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Andrew Sullivan
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Basil Dolmatov
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Stephen Kent
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Andrew Sullivan
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Basil Dolmatov
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Stephen Kent
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Jeffrey Hutzelman
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Andrew Sullivan
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Jeffrey Hutzelman