-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Op 04-03-13 14:22, Joe Abley schreef:
> Contrarily, I don't think the goal should be for registry policy to > dictate what DS records should be acceptable for a child. I think > this should be the child's decision. That's for local policy to decide. A domain might want to profile itself as only accepting tested and secure algorithms so it's users know what to expect in that domain. A single child stepping in with it's own unsupported algorithm to try to break that expectation does not help us to a better place. > If as a child I want to use an experimental or newly-standardised > algorithm, I should be able to do so. I expected that argument. Experiments should be done in a lab. On a network that we want to be reliable and secure, experiments from children should not dictate parent policy. > The relying parties for my signatures in my zone might well not > include the parent zone operator. Why should the choice of > algorithms for those relying parties be restricted by what the > parent zone operator thinks is acceptable? I want to experiment with MD5. Could the root please supply me with MD5 signatures, as my relying party does not understand anything else.. If you want to use my domain, you should at least support the algorithms I use for the hashes in my chain of trust to the root. Anything else on top of that is fine, but you can't do without mine. > We're threatening the future development and use of new algorithms > by institutionalising these restrictions. If you want to experiment with algorithms in your own zone, under your own domain, with your own SEP as trust anchor, be my guest. Do that on your own level in your own tree. But don't force your parent to facilitate each and every experiment. Once an algorithm is tested and considered deployed in the policy area the parent wants to serve, I'm sure they will use it. - -- Antoin Verschuren Technical Policy Advisor SIDN Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands P: +31 26 3525500 M: +31 6 23368970 Mailto: [email protected] XMPP: [email protected] HTTP://www.sidn.nl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJRNLM0AAoJEDqHrM883AgnYssIAJWrWa96nJ8tWxGvjx/6b+Rw r3jNRhsxgrIifAsKqZ2iRE8NPo9u8TpIVFs2rDlXbRyutfasEHZmUN6gVU6Zzr+e WRiqfog7PBWJuo7/snf3U/yH+yMD8kv/nrpwNwcMCzSwEiCvLKzvpBQkN98ixAJz jWAKyV8OHN6mCerZb2KtSIk+aSKHrRfgyan27fiAlnBRltLtcNNn41A4HbeUgeje ItFEbzJNSwjOyEMXBsvta3LuOtB4IAIvuorFWbtyYVAcR3P3aJCzfcSpp9+D3vEs RoHTZkCaXct+WkvcZ5Bpsjg9Z7JuYEICiA4rg5T0T/SJzdiCFZJnzG8LIM+OJvU= =I8hG -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
