ietf
[Top] [All Lists]

Re: DHCID and the use of MD5

2005-11-29 15:29:09
Sam:

Perhaps I was being too terse. I think we are in agreement about the most important parts. I was trying to say that once you are forced to deploy new code, protocol changes and algorithm changes are both avaioable options.

Russ


At 12:51 PM 11/29/2005, Sam Hartman wrote:
>>>>> "Russ" == Russ Housley <housley(_at_)vigilsec(_dot_)com> writes:

    Russ> At 11:44 AM 11/29/2005, Sam Hartman wrote:
    >> Honestly though the authors seem more upset about agility than
    >> about md5.  I think we're certain we want agility.

    Russ> There are two kinds of algorithm agility: - build it into
    Russ> the protocol - update the protocol each time you want to use
    Russ> a new algorithm

I disagree that you always have the second.  In particular you may not
have behavior that allows you to change the protocol.  For example the
SMIME verifier behavior of requiring all (instead of one) signature to
validate makes the change the protocol approach harder.

I think this is an example of a case where you don't have the second
kind of agility without changing the protocol.  In particular you need
clients and hcp servers to expect there to be more than one record
available.

    Russ> Everyone always has the second. The author already made an
    Russ> argument against the first, but other seem to be supporting
    Russ> the other form.  I do not understand the impact on the
    Russ> current deployment.  Do you?

so, the deployed code will have to change somewhat already.  They are
currently using txt records; they will need to transition to this new
RR.


However the update behavior if you add agility is more complicated.


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>