[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Q2: crypto algorithm requirements for DNSSEC
"Loomis, Rip" <GILBERT.R.LOOMIS@saic.com> writes:
> > Q: Is the change of DSA to OPTIONAL acceptable? That will
> > leave only RSA/SHA1 as the only mandatory to implement algorithm.
>
> I never saw a convincing argument, given the above items, as to why this
> was a *useful* change. Whose time are we really saving by making this
> change? DSA might not be incredibly useful today, but I guess I don't
> see why it's useful to "unspecify" it when it's already documented and
> specified. Yes, I just tried to look through my archives and notes to
> see if I missed the convincing argument.
The only argument I've seen (note: I'm repeating it here to answer
your question, not because I necessarily agree with it) is that is
embedded devices (like an IP Phone that does its own DNSSec
verfication) you don't want to have to implement more than you really
need. A "must" algorithm that is never used is just a lot of wasted
bits in a very restricted space.
Note that I'm not convinced this is a compelling argument, but it's
the best one I've heard so far.
> If I've missed some past convincing argument, or if I've screwed up
> anything in my summary above, I'm sure someone will re-calibrate me.
> If the question is "Could I *live* with this change?" then the answer
> would be Yes. I'm just not sure why the change is desired.
See my previous mail on "must implement" v "must use".
> --Rip
-derek
--
Derek Atkins
Computer and Internet Security Consultant
derek@ihtfp.com www.ihtfp.com
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>