Op 20-07-17 om 10:45 schreef Shumon Huque: > On Thu, Jul 20, 2017 at 10:39 AM, Ólafur Guðmundsson > <ola...@cloudflare.com <mailto:ola...@cloudflare.com>> wrote: > > > I disagree, if a zone operator selects "less-than" common algorithm > they do that at their own risk, > if the risk is not acceptable then it should dual sign.... > > > Yes. The point I was trying to make is that DANE sites (and probably > others if they care about security) cannot afford to fail open. So they > have to dual sign if they can stomach the costs, or delay deploying new > algorithms for a long time. This draft is intended to (eventually) make > the dual signing case easier to deal with operationally.
So, Providers of DANE backed services are stuck on the well-known algorithms, and do not have insight on algorithm support by clients verifying these services with DANE. This draft in combination with double signing, provides the means to deal with this (and in a secure manner too). I think this is an important motivation of this work and that this should be reflected in the Introduction section of the draft. -- Willem > > -- > Shumon Huque > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
