[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: private algorithms and the DS record

To: David Blacka <davidb@verisignlabs.com>
Subject: Re: private algorithms and the DS record
From: Samuel Weiler <weiler@tislabs.com>
Date: Wed, 22 Dec 2004 17:54:49 -0500 (EST)
Cc: Rob Austein <sra@isc.org>, namedroppers@ops.ietf.org
In-reply-to: <41C9AB3A.3050209@verisignlabs.com>
References: <41C1ED4A.1060606@verisignlabs.com> <a06110402bdecf217c1a3@10.31.32.75> <Pine.GSO.4.55.0412211040400.11377@filbert> <9347523AF3E1691C9687BE7D@192.168.100.25> <41C85D0E.40002@verisignlabs.com> <Pine.GSO.4.55.0412211555230.22102@filbert> <41C89341.3040501@verisignlabs.com> <20041222050148.4613741C8@thrintun.hactrn.net> <41C9AB3A.3050209@verisignlabs.com>

On Wed, 22 Dec 2004, David Blacka wrote:

> 1) DS records are modified to contain the private algorithm name,
> allowing the validator algorithm to work the same for public and private
> algorithms, or

As before, I want to avoid this.

> 2) The need and algorithm for fetching the private algorithm name from
> the DNSKEY in a safe manner is documented somewhere (another RFC or
> additional text), or

Excellent choice.  Good catch re: the possible attack if just the
keyid, rather than the hash of the DNSKEY, is compared to the DS --
that needs to be documented.  I'm increasingly fond of a "private
algorithm" doc, but an RFC-Editor note seems practical.  This isn't a
big deal.

> 3) private algorithms are deprecated, or

I'd prefer to leave them in, providing some space for future
experimentation, but I wouldn't object to deprecating them.

> 4) everyone else decides that the current text is clear enough, there is
> no need to change anything, we are fairly sure that future
> implementations of private algorithm support will work just fine, thank
> you very much.

2 and 3 seem like better choices.

-- Sam

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- private algorithms and the DS record
  - From: David Blacka <davidb@verisignlabs.com>
- Re: private algorithms and the DS record
  - From: Samuel Weiler <weiler@tislabs.com>
- Re: private algorithms and the DS record
  - From: David Blacka <davidb@verisignlabs.com>
- Re: private algorithms and the DS record
  - From: Samuel Weiler <weiler@tislabs.com>
- Re: private algorithms and the DS record
  - From: David Blacka <davidb@verisignlabs.com>
- Re: private algorithms and the DS record
  - From: Rob Austein <sra@isc.org>
- Re: private algorithms and the DS record
  - From: David Blacka <davidb@verisignlabs.com>

Prev by Date: Re: private algorithms and the DS record
Next by Date: Re: private algorithms and the DS record
Previous by thread: Re: private algorithms and the DS record
Next by thread: Re: private algorithms and the DS record
Index(es):
- Date
- Thread