> This is absurd. If we're going to do this, I'd like the security > considerations to reflect all of the non-zero probabilities of errors > occuring (those that have a higher probability).
I just answered this point in private mail to someone else, failing to realize until after I'd sent it that it was off-list, so I'll repeat myself... My point is not to say that hash collisions are a problem or that NSEC3 is a poor choice. My point is that it's bad form to make mathematically false statements--even if they're *almost completely* true--and especially so when you get anywhere near cryptographers. "NSEC3 is exactly as good as NSEC" is a mathematical statement. It's very, very close to true, but in math that still makes it false. "NSEC3 is as good as NSEC except under conditions so fantastically improbable that it's safe to ignore them" is a few more words, but has the benefit of actually being *true*, and I think that's what the draft should say. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop