On Thu, Feb 11, 2010 at 03:11:27PM -0500, Olafur Gudmundsson wrote: > > Who gets to decide on what algorithms get first class status and based > on what criteria? Without wanting to put words in Olafur's mouth, it seems to me that a couple details are needed as background to focus this debate. At the moment, the only way to add a new algorithm to DNSSEC is standards action. So in order to add GOST, we have to have a standards-track document. We also have the problem that DNS clients cannot negotiate their algorithms with the other end of the communication. Moreover, the natural fallback -- use a "MAY" algorithm by preference, but include a MUST algorithm so that everyone can verify your signatures -- will increase the size of DNS responses. Alternatively, one can use a "MAY" algorithm only, but with the knowledge that a substantial number of people might not be able to validate (so they'll treat the answer as unsecured, and not get the benefit of DNSSEC). So the question here is not what algorithms get "first class" status in general, but whether we want to have different classes of support for DNSSEC, given the current conditions. Thanks and best regards, A -- Andrew Sullivan ajs@xxxxxxxxxxxx Shinkuro, Inc. _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf