[DNSOP] Comments on draft-hardaker-dnsop-must-not-ecc-gost-00

Hi Wes, Warren, I took a quick look at draft-hardaker-dnsop-must-not-ecc-gost-00. The Introduction Section states that the security of the ECC-GOST algorithm has been slowly diminishing over time as various forms of attacks have weakened its cryptographic underpinning. There isn't any inform

Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost

>I also don't think that simple, procedural documents that are straightforwardl >y-written and uncontentious ought to present a big drain on the resources of t >he working group. I think if we all tried really hard not to nitpick or to pla >y amateur copy-editors we could probably last-call simple

Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost

On Mon, 29 Apr 2024, Philip Homburg wrote: As far as I know there is no second pre-image attack on SHA1, and there will not be one in the foreseeable future. Correct. So if we deprecate SHA1 for validators, and assuming validators will follow this advice, and some platforms already stopped v

Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost

On Apr 29, 2024, at 13:00, Paul Wouters wrote: > That said, a number of OSes have already forced the issue by failing > SHA1 as cryptographic operation (RHEL, CentOS, Fedora, maybe more). So > right now, if you run DNSSEC with SHA1 (which includes NSEC3 using > SHA1), your validator might already

Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost

On Mon, 29 Apr 2024, Paul Hoffman wrote: If the purpose of deprecating validation that involves SHA-1 is the decision by RedHat to make that entire section of the DNS insecure, the documents should say that explicitly. Conflating the pre-image weaknesses of SHA-1 and actual useful attacks on

Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost

On Apr 29, 2024, at 13:30, Paul Wouters wrote: > > On Mon, 29 Apr 2024, Paul Hoffman wrote: > >> If the purpose of deprecating validation that involves SHA-1 is the decision >> by RedHat to make that entire section of the DNS insecure, the documents >> should say that explicitly. Conflating th

Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost

> On 30 Apr 2024, at 06:00, Paul Wouters wrote: > > On Mon, 29 Apr 2024, Philip Homburg wrote: > >> As far as I know there is no second pre-image attack on SHA1, and there >> will not be one in the foreseeable future. > > Correct. > >> So if we deprecate SHA1 for validators, and assuming va