[[ Dropping CURDLE because these discussions should only be in one WG ]]
On 19 Mar 2016, at 15:43, Paul Wouters wrote:
Hi,
there was an interest in deprecating some DNSSEC related algorithms.
Ondrey and I wrote a draft that tries to introduce and depricate
DNSSEC algorithms similar to how it has been done for IKE in RFC4307
and 4307bis:
Comments, feedback would be great :)
https://tools.ietf.org/html/draft-wouters-sury-dnsop-algorithm-update
This draft is mostly good, and would be a good addition to DNSOP.
I have two technical issues with the -00 that can easily be resolved.
ECC-GOST is at the SHOULD level because it has not seen wide
deployment.
GOST is a "national algorithm", meaning that it is used almost
exclusively in only one country (in this case Russia). National
algorithms should not be promoted in the IETF unless they are used more
widely *and* there is a good body of cryptographic research showing that
they are as good as similar algorithms. GOST has neither. Proposal: drop
it from this document. It will remain in the IANA registry, of course.
ECDSAP256SHA256 and ECDSAP384SHA384 provide more strength for
signature size than RSASHA256 and RSASHA512 variants. It is
expected
to be raised to MUST once they have been deployed more widely for
DNSSEC Signing. ECDSAP256SHA256 has seen raise in the deployment,
so
it's set to MUST level for DNSSEC Validation.
Even though I was a strong proponent of ECDSA, I think this is the wrong
move. ECDSA has had many years to garner interest, and it hasn't. Within
a year, we will have EDDSA in DNSSEC, and the operational crypto
properties of EDDSA are noticeably better than those of ECDSA. It would
be much better if the community just standardized on EDDSA instead of a
mixture of the two algorithms. Proposal: drop them from this document.
They will remain in the IANA registry, of course.
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
