On 3/15/2017 6:26 AM, Roy Arends wrote:
In the spirit of being constructive, we (Jakob Schlyter, Matt Larson and I)
have written a small draft (draft-arends-dnsop-dnssec-algorithm-update) that
does two things:
it changes RSASHA1 from “Must Implement” to “Recommended to Implement”.
(RSASHA1 is the only “MUST IMPLEMENT”)
it changes RSASHA256 from “Recommended to Implement” to “Must Implement”.
The main motivator for this is that implementors have an incentive to move
their implementations “default use” away from RSASHA1 (for instance, when a
user generates a DNSKEY without specifying an algorithm, or when choosing an
algorithm for signing in the presence of more than one algorithm.
Hi Roy -
I did read through the draft and it looks fairly benign, but I'm
wondering if perhaps giving some warning and planning a transition might
be possible while still meeting the spirit of the registry table.
E.g.
Must Implement: RSASHA1 (Until 5/31/2018), RSASHA256 (after 6/1/2018))
Must Not Implement: RSASHA1 (After 1/1/2021)
Recommended: RSASHA1 (From 6/1/2018 to 12/31/2020), RSASHA256 (until
5/31/2018)
This allows immediate use of SHA256 and starts the deprecation process
for SHA1 but gives some warning to both the vendors and the operators of
what's coming when.
Mike
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
