Re: DS Algorithm selection and SHA1 deprecation (Was: Re: Review of draft-ietf-dnsext-ds-sha256-01.txt)

[Edward Lewis <Ed.Lewis@neustar.biz>]

At 14:35 -0500 12/6/05, Ólafur Guðmundsson /DNSEXT co-chair wrote:

> As for deprecating SHA1 right now this is something the editor
> is looking for guidance on what the document should say.

I'd say - lay out the problem with SHA-1 and let 
operators decide if they still want to code bases 
that implement it.  Don't make operational 
"decisions" in a protocol document.

Let's say RFC 10234 defines some approach using 
SHA-1.  RFC 10321 defines the same approach 
saying SHA-256 is safer, warning that SHA-1 is a 
bad idea.

I expect to read on the box my software come in 
to say "compliant with RFC 10234", "compliant 
with RFC 10234 and RFC 10321", "compliant with 
RFC 10321" or "doesn't know anything about SHA." 
That's how I see the RFCs being useful when 
documenting these issues.

Is SHA-1 better than no understandable DS 
records?  (That's the question an operator of a 
resolver needs to ask themself.)
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

3 months to the next trip.  I guess it's finally time to settle down and
find a grocery store.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>