On Jan 7, 2025, at 16:37, Tim Wicinski <tjw.i...@gmail.com> wrote: > On Tue, Jan 7, 2025 at 6:05 PM Paul Hoffman <paul.hoff...@icann.org> wrote: >> On Jan 7, 2025, at 14:30, Tim Wicinski <tjw.i...@gmail.com> wrote: >> > Paul Hoffman makes a very important point on section 2 of rfc8624-bis: >> >> The WG should consider whether the publication requirements in Section 2 >> >> are correct. I feel they are not, but I also know that this topic elicits >> >> strong opinions in this WG, in SAAG, and in the IETF in general. >> >> >> > The guidance the chairs have received is that all new cryptographic >> > algorithms which folks are considering implementing in DNSSEC must go >> > through the Independent Stream (ISE). >> >> Who gave that guidance? And, more importantly, why was it given to the >> chairs and not the WG? This is certainly not what we hear from the Security >> ADs these days. > > This came up during the 5933-bis Process. > https://mailarchive.ietf.org/arch/msg/dnsop/XZoakWUDruPXylJ2wLIS4l4vevo/# > Warren wrote up something as well > https://mailarchive.ietf.org/arch/msg/dnsop/hv-dlx8rRXHXzB7DMzETLM-Q_vQ/
Please note that those message are *only* about GOST, not "all new cryptographic algorithms". The distinction is particularly important as we discuss post-quantum algorithms because there are many governments and regions proposing algorithms different than what NIST has proposed. (Also noting here that NIST is a government agency.) >> > I will now ask - could we change the requirements in this document to >> > these suggestions? >> > What would be the unintended consequences of simplifying the process >> > hurdles? >> > >> > NewEntry -> MAY => "Specification Required/Expert Review" >> > (Currently RFC Required) >> > >> > MAY -> AnythingElse => "RFC Required/Expert Review" (Currently >> > Standards Action) >> > >> > AnythingElse -> MAY => (Could this even happen??) >> > >> > My personal opinion (which I am confident is universally hated by >> > everyone) is that the "DNS Security Algorithm Numbers" Registry and >> > "Digest Algorithms" Registry should either have a Private Use section for >> > algorithm testing OR make the registries "Specification Required". >> > Simplify the process for experiments with new algorithms. >> >> I'll raise my hand to hating that. :-) The IETF has a spectacularly bad >> track record for later changing experimental anything into requirements when >> it becomes clear that the experiment went well. For these tables, having >> "MAY" mean "we know these things exist, but we don't have any positive or >> negative opinions on them" is more clear to the developers and implementers >> than making them guess how well an experiment is going. >> >> > I can accept that (I am confident that my bad ideas are bad). But this also > sounds like having a section of the registry marked "Private Use" allows for > testing with having an official IETF Experiment. If you think typical IETF participants can differentiate those two, I can point you to many trails of tears that might dissuade you. > My goal here is to help developers, researchers, etc work on new ideas > without a lot of process. I don't mind process for getting beyond "MAY"; in fact, I think it's our responsibility to do the work in that process. --Paul Hoffman _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
