On 16.02.10 4:21, Phillip Hallam-Baker wrote:
deploy as at present does not seem to have occurred to them. It is
quite possible that what is driving the GOST issue is that the GRU
really has a thing about vanity crypto. But I think it much more
likely that they are going to use it as part of a series of
regulations that effectively require Russian ISPs chain their DNSSEC
off the GRU approved root.
I think that it is not a constructive way to discuss this issue
following some conspiracy theories.
I want to refer you to origin of this discussion on ietf lists
and want to remind what was initial reason for us to follow this way and
to propose GOST as one of standard algorithms for DNSSEC.
As you know we have some national regulation in crypto.
To implement DNSSEC we should
or to use GOST (at this moment) and to comply regulations
or to ignore DNSSEC (no comments)
or try to change national laws (also no comments).
If someone can give us an advice - what to do else - you are welcome.
After series of dicussions and consultations with many participants of
this list we agreed with recommendations and began this process to move
forward GOST as one of mandatory standards.
Otherwise - we can't achieve
"the goal is:
(1) for their zones, e.g. .ru, .su, and any new ones they get, to be
signed with GOST,
(2) for everyone to be able to validate their signatures, and
(3) for them to be able to validate everyone else's signatures.
For (2), they need to promulgate their algorithms into the standard
crypto libraries and have an algorithm identifier assigned through IANA.
I believe both of these are in progress.
For (3), they simply need to use the standard algorithms in their own
resolvers, and I believe they will be able to do this comfortably.
We're talking about checking, not signing, signatures, not encrypting."
Just a quote from this list.
Ietf mailing list