At 4:04 PM -0500 2/11/10, Andrew Sullivan wrote: >So the question here is not what algorithms get "first class" status >in general, but whether we want to have different classes of support >for DNSSEC, given the current conditions. First off, thank you for better stating the question. There are a plethora of signing algorithms. Note that a signing algorithm consists of a public key algorithm *and* a hash algorithm. The question here is whether they also have SHOULD-level requirements to process every signing algorithm that is in the IANA registry. Having such a requirement gives attackers a much wider target: in order to spoof a signature, they can pick the weakest of a large collection of algorithms. For example, there is already a published attack on the GOST hash function that does not exist in SHA-256 and SHA-512. The GOST algorithms have had much less cryptographic review than other algorithms. If that attack becomes practical, an attacker can create signatures using GOST that he/she could not create in RSA/SHA-256 or RSA/SHA-512. Given this, the answer to the question should be "no, not all algorithms automatically get SHOULD-level requirements". The IETF can, on a case-by-case basis, decide if they want to update the base DNSSEC spec to include a SHOULD-level or MUST-level requirement for a new signature algorithm. --Paul Hoffman, Director --VPN Consortium _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf