Paul Hoffman <paul.hoff...@icann.org> wrote: > On Mar 9, 2020, at 6:46 PM, Tony Finch <d...@dotat.at> wrote:
> > Which is why the timetable aims to stop the use of SHA-1 for signing > > before it stops the use of SHA-1 for validating, assuming > > optimistically that we actually have 2 years available. (I fear we > > don't.) > > Who is "we" there? Mainly, people who don't want DNSSEC to be open to criticism for using broken cryptography. > > WRT updating RFC 8624, my hope is that updated implementation > > requirements will encourage better tools to make it easier to upgrade > > from SHA-1 before SHA-1 becomes useless. My initial suggestions are > > probably ham-fisted, but for software that is on an annual cycle of > > feature releases there isn't time for a multi-stage deprecation. I > > don't think there's any point addressing a draft to operators if the > > tooling still encourages the use of SHA-1. > > Then consider writing a draft that strongly discourages implementations > from encouraging or even being neutral about algorithms with SHA-1. That's what I tried to do. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Rockall, Malin, Hebrides, Bailey: Cyclonic at first in north Bailey, otherwise westerly or southwesterly 6 to gale 8. Very rough, occasionally high except in Malin. Rain then squally showers. Moderate or good, occasionally poor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
