Re: DS Algorithm selection and SHA1 deprecation

[Edward Lewis <Ed.Lewis@neustar.biz>]

At 22:43 +1100 12/7/05, Mark Andrews wrote:

> 	What we are trying to do is phase out the use of SHA1.  We are
> 	not waiting for SHA1 to be broken.  This is a pre-emptive
> 	replacement with SHA256 and we are trying to workout how to
> 	go from all DS/SHA1 to all DS/SHA256 without breaking the
> 	trust chains.

I don't think it's right to make the phase out of SHA1 to stated 
goal.  The goal is to define SHA256 as an alternative and document 
why it is better than SHA1 and why an operator (of DNS) ought to 
prefer to use SHA256 (given that SHA1 is already in play).

As a consumer of DNS code, I want code that has as much functionality 
as possible, other things being equal.  E.g., if you released BIND 
9.12.2 with SHA1 in it and the only change for 9.12.3 was to remove 
it - I wouldn't bother to upgrade.

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

3 months to the next trip.  I guess it's finally time to settle down and
find a grocery store.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>