Document: draft-ietf-dnsop-must-not-sha1 Title: Deprecating the use of SHA-1 in DNSSEC signature algorithms Reviewer: Yoav Nir Review result: Ready
The document is fine as it is. I will say that the Security Considerations section is a bit strange: This document deprecates the use of RSASHA1 and RSASHA1-NSEC3-SHA1 signatures since they are no longer considered to be secure. But that is a common problem with documents like this that deprecate existing algorithms or protocol options for security reasons. Some documents got around this by claiming that the whole document is security considerations. For example, a draft of RFC 7568 (deprecating SSLv3) said: This entire document aims to improve security by prohibiting the use of a protocol that is not secure. But they toned it down for the final RFC. Anyway, it's fine as it is. _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
