On 6 Jan 2021, at 15:48, Ben Schwartz <bem...@google.com> wrote: > On Wed, Jan 6, 2021 at 3:37 PM Joe Abley <jab...@hopcount.ca > <mailto:jab...@hopcount.ca>> wrote: > On Jan 6, 2021, at 14:45, Ben Schwartz <bemasc=40google....@dmarc.ietf.org > <mailto:40google....@dmarc.ietf.org>> wrote: > > > That model works well when (a) all validators implement an algorithm you > > like OR (b) you view each algorithm as either "definitely strong" or > > "worthless" (no middle ground). > > We are in scenario (b). > > I think the long half-life of RSA-1024 is an example of a violation of (b).
Can you explain that in more detail? A zone administrator today might decide that RSA with 1024 bit keys is sufficient, or that SHA-1 is reasonable. A validator administrator might decide otherwise, and decline to gauge authenticity using those signatures. These are both reasonable local policies. It's ok that they disagree. > I don't think it is orthogonal. The prevalent local validator policies > change the effect that zone owner choices will have, so zone owners need to > know what those policies are. I agree it's useful to encourage local policies to be sane. I'm not sure why making the kind of change you are talking about achieves that. It seems clear to me that changing the behaviour in validators would break some things; it's less clear that a change of the kind you suggest would make anything better. I am definitely not yet firing on all cylinders though, this year, so I am fully prepared to discover that I am missing something. :-) Joe
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
