On 6 Jan 2021, at 15:48, Ben Schwartz <bem...@google.com> wrote:

> On Wed, Jan 6, 2021 at 3:37 PM Joe Abley <jab...@hopcount.ca 
> <mailto:jab...@hopcount.ca>> wrote:
> On Jan 6, 2021, at 14:45, Ben Schwartz <bemasc=40google....@dmarc.ietf.org 
> <mailto:40google....@dmarc.ietf.org>> wrote:
> 
> > That model works well when (a) all validators implement an algorithm you 
> > like OR (b) you view each algorithm as either "definitely strong" or 
> > "worthless" (no middle ground).
> 
> We are in scenario (b).
> 
> I think the long half-life of RSA-1024 is an example of a violation of (b).

Can you explain that in more detail?

A zone administrator today might decide that RSA with 1024 bit keys is 
sufficient, or that SHA-1 is reasonable.

A validator administrator might decide otherwise, and decline to gauge 
authenticity using those signatures.

These are both reasonable local policies. It's ok that they disagree.

> I don't think it is orthogonal.  The prevalent local validator policies 
> change the effect that zone owner choices will have, so zone owners need to 
> know what those policies are.

I agree it's useful to encourage local policies to be sane. I'm not sure why 
making the kind of change you are talking about achieves that.

It seems clear to me that changing the behaviour in validators would break some 
things; it's less clear that a change of the kind you suggest would make 
anything better. I am definitely not yet firing on all cylinders though, this 
year, so I am fully prepared to discover that I am missing something. :-)


Joe

Attachment: signature.asc
Description: Message signed with OpenPGP

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to