On 11/02/2010 12:57 PM, Stephen Kent wrote:
I recommend that the document not be approved by the IESG in its current
form. Section 6.1 states:
6.1. Support for GOST signatures
DNSSEC aware implementations SHOULD be able to support RRSIG and
DNSKEY resource records created with the GOST algorithms as
defined in this document.
There has been considerable discussion on the security area directorate
list about this aspect of the document. All of the SECDIR members who
participated in the discussion argued that the text in 6.1 needs to be
changed to MAY from SHOULD. The general principle cited in the
discussion has been that "national" crypto algorithms like GOST ought
not be cited as MUST or SHOULD in standards like DNESEC. I refer
interested individuals to the SECDIR archive for details of the discussion.
(http://www.ietf.org/mail-archive/web/secdir/current/maillist.html)
Steve
As a document shepeard I have made note that this is desired, but at
the same time this is a topic that was outside the scope of the working
group.
This is on the other hand a topic that belongs in the IETF review.
So my questions to the IETF (paraphrashing George Orwell)
"Are all crypto algorithms equal, but some are more equal than others?"
Who gets to decide on what algorithms get first class status and based
on what criteria?
Steve brought up "national" algorithm, but we have also "personal"
algorithms such as curve25519 or threefish.
Olafur
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf