ietf
[Top] [All Lists]

Re: draft-ietf-dnsext-dnssec-gost

2010-02-11 12:06:11
At 12:57 PM -0500 2/11/10, Stephen Kent wrote:
I recommend that the document not be approved by the IESG in its current form. 
Section 6.1 states:

6.1.  Support for GOST signatures

  DNSSEC aware implementations SHOULD be able to support RRSIG and
  DNSKEY resource records created with the GOST algorithms as
  defined in this document.

There has been considerable discussion on the security area directorate list 
about this aspect of the document. All of the SECDIR members who participated 
in the discussion argued that the text in 6.1 needs to be changed to MAY from 
SHOULD. The general principle cited in the discussion has been that "national" 
crypto algorithms like GOST ought not be cited as MUST or SHOULD in standards 
like DNESEC. I refer interested individuals to the SECDIR archive for details 
of the discussion.

(http://www.ietf.org/mail-archive/web/secdir/current/maillist.html)

As usual, I agree completely with Steve Kent. Further, I note that while there 
was consensus in the DNSEXT WG to put this document on standards track, there 
was no such consensus for making every DNSSEC implementation come under a new 
SHOULD-level requirement.

--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf