Hiya,
On 04/01/2021 14:23, Paul Wouters wrote:
On Mon, 4 Jan 2021, Stephen Farrell wrote:WRT GOST, we're not really talking about an algorithm but rather a national crypto standards scheme that selects sets of algorithms. For such things, whether from Russia or the US or anywhere, I think it's quite fair to ask "how has version N deployment gone?"Why is that fair?
Eh? Seems to me that asking about the facts is fair. I have a hard time envisaging a way it could be unfair tbh, so your question surprises me.
I'd say the community was quite busy and possibly made some mistakes in the past. I don't think that is a valid barrier for the future. For example, would we bar NIST or the US from ever standarizing a new RNG? :P
You seem to be assuming that the goal of asking is to justify saying "no." That wasn't my intent - I just think we make better decisions if we know the deployment facts, rather than our decisions being based on whomever is good at rhetoric or automatically giving nation-states or mega-companies whatever they ask. WRT a new RNG - yes if one was suggested from a US or any source, then we absolutely should be very careful with that. Mind you, I can't think of an iana registry that has RNG algs as entries so maybe it's not a super-good example.
And "how to handle" isn't always "adoption" but could as I said result in deprecating version N if nobody really cares about it - in such a case that'd help implementers and better reflect reality.If a national government wants something, we could ask forat least one implementation to be planned.
That was not what I suggested asking. I'd just like to know if or how much the current gost stuff gets used with dnssec.
But using this meassure as a way to stop these seems wrong. It would move the possible standarization from IETF to say openssl or bind. I do think one issue is how often GOST (or FIPS) updates their algorithms and obsoletes older ones. That might cause a faster depletion of the registry then we'd like. But on the other side, if would be nice if we could become faster with obsoleting algorithms too. Why is there still RSASHA1 deployed....
Yep. Allocating codepoints for things that don't get used (if that is the case with gost algs and dnssec which I *still* don't know any more about), doesn't help us move on from things that did get used. Cheers, S.
Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
OpenPGP_0x5AB2FAF17B172BEA.asc
Description: application/pgp-keys
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
