Re: [secdir] review of draft-ietf-dnsext-dnssec-gost-05

Andrew Sullivan <ajs@shinkuro.com> Fri, 08 January 2010 14:44 UTC

Return-Path: <ajs@shinkuro.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6F4E73A6979 for <secdir@core3.amsl.com>; Fri, 8 Jan 2010 06:44:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.985
X-Spam-Level:
X-Spam-Status: No, score=-2.985 tagged_above=-999 required=5 tests=[AWL=-0.386, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RSDv14qzm1Md for <secdir@core3.amsl.com>; Fri, 8 Jan 2010 06:44:35 -0800 (PST)
Received: from mail.yitter.info (mail.yitter.info [208.86.224.201]) by core3.amsl.com (Postfix) with ESMTP id 8FAB03A6970 for <secdir@ietf.org>; Fri, 8 Jan 2010 06:44:35 -0800 (PST)
Received: from crankycanuck.ca (69-196-144-230.dsl.teksavvy.com [69.196.144.230]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id DEE702FE8CA1; Fri, 8 Jan 2010 14:44:32 +0000 (UTC)
Date: Fri, 8 Jan 2010 09:44:31 -0500
From: Andrew Sullivan <ajs@shinkuro.com>
To: Stephen Kent <kent@bbn.com>
Message-ID: <20100108144431.GB26259@shinkuro.com>
References: <p06240810c76be77be756@[128.89.89.161]> <20100107222809.GA25747@shinkuro.com> <p06240818c76c1a38cbf8@[128.89.89.161]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <p06240818c76c1a38cbf8@[128.89.89.161]>
User-Agent: Mutt/1.5.18 (2008-05-17)
Cc: Ralph Droms <rdroms@cisco.com>, dol@cryptocom.ru, ogud@ogud.com, secdir@ietf.org
Subject: Re: [secdir] review of draft-ietf-dnsext-dnssec-gost-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jan 2010 14:44:36 -0000

On Fri, Jan 08, 2010 at 09:07:24AM -0500, Stephen Kent wrote:
>
> For S/MIME and OPGP there is a requirement that, ultimately, the  
> receiver has some way to verify the cert associated with the sender.  
> However, it is common for senders to sign messages that are send to  
> mailing lists where the sender has no way of knowing what algorithms all 
> the receivers support. So, your analysis for this case is off the mark. 

This is a good point.  Thanks.

> Rather it makes sense to have a very limited number of algorithm suites 
> that MUST (or SHOULD) be implemented. My recommendation is to limit 
> mandated (MUST or SHOULD) support to just two: current and next.

Hrm.  Well, we already violate this recommendation, I think, but I
take your point.

> BTW, we have had this discussion in SIDR, where the RPKI has a similar 
> global scope and where Vasily had made a similar request for recognition 
> of GOST algorithms. So far, that WG has said no, for the reasons I cited 
> in my comments and above. The current plan there is to go with the two 
> suite model I described above.

Ok.  Thanks for this; it's useful feedback.

Best,

A

-- 
Andrew Sullivan
ajs@shinkuro.com
Shinkuro, Inc.