On Mar 9, 2020, at 4:16 PM, Tony Finch <d...@dotat.at> wrote: > > The aim of this is to deprecate SHA-1 algorithms 5 and 7 more vigorously. > I've put in a fairly specific timetable for sake of argument, basically to > set up the death of SHA-1 as next year's DNS "flag day", unless some > clever cryptanalysis forces it to happen sooner. > > I'm afraid it's a rough first pass...
This draft, as constituted, is not a clean update to RFC 8624. RFC 8624 was about Algorithm implementation requirements: it says so right in the title, and repeats that in many other places. This draft is about discouraging people from signing with SHA-1 by directly harming them (implementations that will no longer be able to validate their signatures). While threats of direct harm are probably effective at getting to a desired outcome, they do not represent the way the IETF normally does its work. (I'm happy about that.) A different draft would give the same guidance to signers, explain that their practices put themselves at risk, and show charts of how signatures using SHA-1 are decreasing (indicating that laggards are becoming part of an ever-smaller minority). --Paul Hoffman
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
