Re: Q2: crypto algorithm requirements for DNSSEC

[Bill Manning <bmanning@ISI.EDU>]

% On Thu, 13 Feb 2003, Miek Gieben wrote:
% 
% > > I wouldn't consider the resources used for signing a problem with modern
% > > hardware - people sign .com with their desktop machine within reasonable
% > > time.
% >
% > so you're asking a TLD to carry twice the load for an event which is unlikely
% > to happen soon?
% 
% yes, if we come to the conclusion that we should use two algorithms.
% 
% > And further more, we (.nl), have to explain to every domain holder in
% > .nl that signing with 2 algorithms is better than signing with 1.
% 
% if we cannot explain why to normal people, I'm not sure we should do two
% algorithms.
% 
% 
% 	jakob


back in the mists of time, we actually tested signed heirarchies with two
algorithms.  There were interesting results when trying to do validation.
as I remember, the results strengthened the argument for a single algorithm.
resolver code may have become more robust since then and the point may be
moot.


--bill
Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>