On Tue, Jan 07, 2025 at 1:44 PM, Paul Wouters <p...@nohats.ca> wrote:
> On Tue, 7 Jan 2025, Paul Hoffman wrote: > > draft-ietf-dnsop-must-not-sha1 > > This document is fine as-is, with one minor nit: Appendix C should be > marked for removal by the RFC Editor, similar to Appendix B. > > I think the Title and Abstract are broken. It currently states: > > Remove SHA-1 from active use within DNSSEC > > Abstract > > This document retires the use of SHA-1 within DNSSEC. > > As we are not removing SHA-1 from NSEC3, > Oh, yeah, good point! Thank you. > I believe the title and abtract > (and perhaps more content) should clarify that this is about removing > SHA-1 as hashing and signature algorithm. > > > Shumon noted that it is used as a hashing algorithm in NSEC3, so we are proposing: Title: ""Deprecating the use of SHA-1 in DNSSEC signature algorithms"" and Abstract: "This document deprecates the use of the RSASHA1 and RSASHA1-NSEC3-SHA1 algorithms for the creation of DNSKEY and RRSIG records." Does that work for you / Shumon? > ============================================ > > draft-ietf-dnsop-must-not-ecc-gost > > The goal of this document is fine. Some of the wording could be toned down > because we don't actually know why the algorithms were deprecated. I heard, > very informally, that they had a minor but real weaknesses, and their > replacements had better security proofs. Given our lack of certainty, we > should deprecate them only because the sponsoring government did. > > Agreed. Additionally, I also don't like the phrase "from active use". Is > there passive use? Also, we are not the protocol police about usage. We > declare something obsolete or historic. We don't "pull from active use". > Ta. We have attempted to address this by updating the title of the GOST document to "Deprecate usage of ECC-GOST within DNSSEC". I still don't love it, but it is better… > Section 3 might instead read: > > This document potentially increases the security of the DNSSEC ecosystem > by deprecating algorithms that are no longer recommended for use. > > > Section 4 might instead read: > > This document removes support for ECC-GOST. Zone operators currently > making use of ECC-GOST based algorithms should switch to algorithms that > remain supported. DNS registries should prohibit their clients to upload > and publish ECC-GOST based DS records. > > (The reference to RFC 9499 there is confusing, so it can be eliminated.) > > > It might also add a note stating that it is safe for code to be removed as > there is no real world deployment of this algorithm. > > Appendix C should be marked for removal by the RFC Editor, similar to > Appendix B. > > > Paul W > > > _______________________________________________ > DNSOP mailing list -- dnsop@ietf.org > To unsubscribe send an email to dnsop-le...@ietf.org > > >
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
