ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IAB statement on the RPKI.

2010-02-16 13:22:42
from [Martin Rex] [Permanent Link] 
Dmitry Burkov wrote:


On 16.02.10 4:21, Phillip Hallam-Baker wrote:

deploy as at present does not seem to have occurred to them. It is
quite possible that what is driving the GOST issue is that the GRU
really has a thing about vanity crypto. But I think it much more
likely that they are going to use it as part of a series of
regulations that effectively require Russian ISPs chain their DNSSEC
off the GRU approved root.
   


I think that it is not a constructive way to discuss this issue  
following some conspiracy theories.
I want to refer you to origin of  this discussion on ietf lists
http://dnssec-deployment.org/pipermail/dnssec-deployment/2009-April/thread.html#2932

and want to remind what was initial reason for us to follow this way and 
to propose GOST as one of standard algorithms for DNSSEC.


With respect to supporting regionally favoured crypto-algorithm,
the solution should be different.  DNSsec should allow for the
presence of more than one signature (differing in algorithm),
so that Zones can carry both, a mandatory to implement signature
(algorithm) and interoperable world-wide, and one that might
be prefered in particular regions (or legislations) and can
be evaluated in those areas by those who care (or which are
obliged to care).

The obvious benefit is that only those living in regions or
legislations with an extreme bias towards certain crypto algorithms
have to bear the burden of creating and verifying the optional
signatures with that algorithm, while the others can continue
to use the single common and mandatory algorithm.


I don't have a problem if DNS-Zones like ".ru", ".su" include
GOST-based signatures in their Zones.   But to me it looks like
a serious problem if they do _NOT_ include signatures of a
common worldwide algorithm (which can be used by all others
that verify zones from .ru and .su).


(are signatures and DNS KEYs in DNSsec really designed to be
 "highlanders", i.e. there can only be one?)

-Martin
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IAB statement on the RPKI., Dmitry Burkov
Next by Date:  New IRTF research group on virtual networks (VNRG), Aaron Falk
Previous by Thread:  Re: IAB statement on the RPKI., Dmitry Burkov
Next by Thread:  Re: IAB statement on the RPKI., Masataka Ohta
Indexes:  [Date] [Thread] [Top] [All Lists]