Re: IAB statement on the RPKI.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dmitry Burkov wrote:
> 
> On 16.02.10 4:21, Phillip Hallam-Baker wrote:
> > deploy as at present does not seem to have occurred to them. It is
> > quite possible that what is driving the GOST issue is that the GRU
> > really has a thing about vanity crypto. But I think it much more
> > likely that they are going to use it as part of a series of
> > regulations that effectively require Russian ISPs chain their DNSSEC
> > off the GRU approved root.
> >    
> 
> I think that it is not a constructive way to discuss this issue  
> following some conspiracy theories.
> I want to refer you to origin of  this discussion on ietf lists
> http://dnssec-deployment.org/pipermail/dnssec-deployment/2009-April/thread.html#2932
> 
> and want to remind what was initial reason for us to follow this way and 
> to propose GOST as one of standard algorithms for DNSSEC.

With respect to supporting regionally favoured crypto-algorithm,
the solution should be different.  DNSsec should allow for the
presence of more than one signature (differing in algorithm),
so that Zones can carry both, a mandatory to implement signature
(algorithm) and interoperable world-wide, and one that might
be prefered in particular regions (or legislations) and can
be evaluated in those areas by those who care (or which are
obliged to care).

The obvious benefit is that only those living in regions or
legislations with an extreme bias towards certain crypto algorithms
have to bear the burden of creating and verifying the optional
signatures with that algorithm, while the others can continue
to use the single common and mandatory algorithm.


I don't have a problem if DNS-Zones like ".ru", ".su" include
GOST-based signatures in their Zones.   But to me it looks like
a serious problem if they do _NOT_ include signatures of a
common worldwide algorithm (which can be used by all others
that verify zones from .ru and .su).


(are signatures and DNS KEYs in DNSsec really designed to be
 "highlanders", i.e. there can only be one?)

-Martin
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]