On 02/23/10 07:42, Paul Wouters wrote:
> On Mon, 22 Feb 2010, Doug Barton wrote:
>
>> My thoughts are sort of leaning in the direction that a very brief
>> mention of the issue combined with a reference to what Evan quoted in
>> 5155 (which seems to handle the issue well) is probably the right
>> direction to go.
>
> I"m with Andrew and people. Mentioning it in 4146bis gives is much
> more weight then it deserved, and I think will cause people to
> perhaps make the wrong decision.
"Wrong" according to who?
Leaving aside my deep concerns about the thinking that went into that
statement, I think the fact that this thread exists at all indicates
that there is a serious FUD potential here that 4641bis should address.
I suggest a statement like the following (very rough):
Because NSEC3 uses a hash function there is an unimaginably small chance
that two different hostnames could produce the same hash output, and and
even smaller chance that such a collision could be exploitable by an
attacker. This issue SHOULD NOT be a factor in making an operational
decision about which type of signing to use. See [RFC5155] for more
information, including the relevant mathematical background.
hth,
Doug (We report, YOU decide)
--
... and that's just a little bit of history repeating.
-- Propellerheads
Improve the effectiveness of your Internet presence with
a domain name makeover! http://SupersetSolutions.com/
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
