At 4:04 PM -0500 2/11/10, Andrew Sullivan wrote:
So the question here is not what algorithms get "first class" status
in general, but whether we want to have different classes of support
for DNSSEC, given the current conditions.
First off, thank you for better stating the question.
There are a plethora of signing algorithms. Note that a signing algorithm
consists of a public key algorithm *and* a hash algorithm.
The question here is whether they also have SHOULD-level requirements to
process every signing algorithm that is in the IANA registry. Having such a
requirement gives attackers a much wider target: in order to spoof a signature,
they can pick the weakest of a large collection of algorithms.
For example, there is already a published attack on the GOST hash function that
does not exist in SHA-256 and SHA-512. The GOST algorithms have had much less
cryptographic review than other algorithms. If that attack becomes practical,
an attacker can create signatures using GOST that he/she could not create in
RSA/SHA-256 or RSA/SHA-512.
Given this, the answer to the question should be "no, not all algorithms
automatically get SHOULD-level requirements". The IETF can, on a case-by-case
basis, decide if they want to update the base DNSSEC spec to include a
SHOULD-level or MUST-level requirement for a new signature algorithm.
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf