On Thu, Feb 11, 2010 at 03:11:27PM -0500, Olafur Gudmundsson wrote:
Who gets to decide on what algorithms get first class status and based
on what criteria?
Without wanting to put words in Olafur's mouth, it seems to me that a
couple details are needed as background to focus this debate.
At the moment, the only way to add a new algorithm to DNSSEC is
standards action. So in order to add GOST, we have to have a
standards-track document.
We also have the problem that DNS clients cannot negotiate their
algorithms with the other end of the communication. Moreover, the
natural fallback -- use a "MAY" algorithm by preference, but include a
MUST algorithm so that everyone can verify your signatures -- will
increase the size of DNS responses. Alternatively, one can use a
"MAY" algorithm only, but with the knowledge that a substantial number
of people might not be able to validate (so they'll treat the answer
as unsecured, and not get the benefit of DNSSEC).
So the question here is not what algorithms get "first class" status
in general, but whether we want to have different classes of support
for DNSSEC, given the current conditions.
Thanks and best regards,
A
--
Andrew Sullivan
ajs(_at_)shinkuro(_dot_)com
Shinkuro, Inc.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf