On Fri, Mar 28, 2014 at 09:06:17AM -0400, Phillip Hallam-Baker wrote: > Code is only vulnerable if it trusts 1024bit RSA. Code should not trust > 1024bit RSA. > > Therefore ICANN needs to sign the root zone with 2048 before we consider it > signed. End of story.
I think the point was that there was a time when the root was signed (it happens to include now) with 1024 bit RSA, and if you want to include that in the "signed period" then you need to accept that risk. The selection of 1024 bits was done on the advice of those that some people turn out now not to trust, but I think hindsight may be different than foresight. I don't think you can make the argument that the root zone is not signed now, because if you do then in some future when 2048 bit RSA turns out to be vulnerable, you'll have to repeat the argument. That seems absurd (it devolves to Zeno's zone signer). A -- Andrew Sullivan a...@anvilwalrusden.com _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
