[DNSOP] Re: [Ext] Working Group Last Call for draft-ietf-dnsop-rfc8624-bis draft-ietf-dnsop-must-not-ecc-gost draft-ietf-dnsop-must-not-sha1

[Paul Wouters]

On Jan 13, 2025, at 16:38, Warren Kumari <war...@kumari.net> wrote:  On Tue, Jan 07, 2025 at 1:44 PM, Paul Wouters <p...@nohats.ca> wrote: On Tue, 7 Jan 2025, Paul Hoffman wrote: draft-ietf-dnsop-must-not-sha1 This document is fine as-is, with one minor nit: Appendix C should be marked for removal by the RFC Editor, similar to Appendix B. I think the Title and Abstract are broken. It currently states: Remove SHA-1 from active use within DNSSEC Abstract This document retires the use of SHA-1 within DNSSEC. As we are not removing SHA-1 from NSEC3, Oh, yeah, good point! Thank you. I believe the title and abtract (and perhaps more content) should clarify that this is about removing SHA-1 as hashing and signature algorithm. Shumon noted that it is used as a hashing algorithm in NSEC3, so we are proposing: Title: ""Deprecating the use of SHA-1 in DNSSEC signature algorithms"" and Abstract:  "This document deprecates the use of the RSASHA1 and RSASHA1-NSEC3-SHA1 algorithms for the creation of DNSKEY and RRSIG records." Does that work for you / Shumon? Works for me. Paul ============================================ draft-ietf-dnsop-must-not-ecc-gost The goal of this document is fine. Some of the wording could be toned down because we don't actually know why the algorithms were deprecated. I heard, very informally, that they had a minor but real weaknesses, and their replacements had better security proofs. Given our lack of certainty, we should deprecate them only because the sponsoring government did. Agreed. Additionally, I also don't like the phrase "from active use". Is there passive use? Also, we are not the protocol police about usage. We declare something obsolete or historic. We don't "pull from active use". Ta. We have attempted to address this by updating the title of the GOST document to "Deprecate usage of ECC-GOST within DNSSEC". I still don't love it, but it is better… Section 3 might instead read: This document potentially increases the security of the DNSSEC ecosystem by deprecating algorithms that are no longer recommended for use. Section 4 might instead read: This document removes support for ECC-GOST. Zone operators currently making use of ECC-GOST based algorithms should switch to algorithms that remain supported. DNS registries should prohibit their clients to upload and publish ECC-GOST based DS records. (The reference to RFC 9499 there is confusing, so it can be eliminated.) It might also add a note stating that it is safe for code to be removed as there is no real world deployment of this algorithm. Appendix C should be marked for removal by the RFC Editor, similar to Appendix B. Paul W _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-leave@ietf.org

_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org