Re: [secdir] review of draft-ietf-dnsext-dnssec-gost-05

Andrew Sullivan <> Fri, 08 January 2010 14:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6F4E73A6979 for <>; Fri, 8 Jan 2010 06:44:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.985
X-Spam-Status: No, score=-2.985 tagged_above=-999 required=5 tests=[AWL=-0.386, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RSDv14qzm1Md for <>; Fri, 8 Jan 2010 06:44:35 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 8FAB03A6970 for <>; Fri, 8 Jan 2010 06:44:35 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id DEE702FE8CA1; Fri, 8 Jan 2010 14:44:32 +0000 (UTC)
Date: Fri, 8 Jan 2010 09:44:31 -0500
From: Andrew Sullivan <>
To: Stephen Kent <>
Message-ID: <>
References: <p06240810c76be77be756@[]> <> <p06240818c76c1a38cbf8@[]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <p06240818c76c1a38cbf8@[]>
User-Agent: Mutt/1.5.18 (2008-05-17)
Cc: Ralph Droms <>,,,
Subject: Re: [secdir] review of draft-ietf-dnsext-dnssec-gost-05
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 08 Jan 2010 14:44:36 -0000

On Fri, Jan 08, 2010 at 09:07:24AM -0500, Stephen Kent wrote:
> For S/MIME and OPGP there is a requirement that, ultimately, the  
> receiver has some way to verify the cert associated with the sender.  
> However, it is common for senders to sign messages that are send to  
> mailing lists where the sender has no way of knowing what algorithms all 
> the receivers support. So, your analysis for this case is off the mark. 

This is a good point.  Thanks.

> Rather it makes sense to have a very limited number of algorithm suites 
> that MUST (or SHOULD) be implemented. My recommendation is to limit 
> mandated (MUST or SHOULD) support to just two: current and next.

Hrm.  Well, we already violate this recommendation, I think, but I
take your point.

> BTW, we have had this discussion in SIDR, where the RPKI has a similar 
> global scope and where Vasily had made a similar request for recognition 
> of GOST algorithms. So far, that WG has said no, for the reasons I cited 
> in my comments and above. The current plan there is to go with the two 
> suite model I described above.

Ok.  Thanks for this; it's useful feedback.



Andrew Sullivan
Shinkuro, Inc.