Mukund Sivaraman <[email protected]> wrote: > > 2. Matching DNSKEYs in child for every DS algorithm type in parent are > not required in validator requirements to allow them to be more > accomodating with configuration mistakes. This doesn't give > importance to the possibility of downgrade attacks as much as > allowing validation to succeed through any chain. The possibility of > downgrade attacks are mentioned in RFC 4509 sec. 6.1, but nothing is > done towards avoiding it.
I would have thought that mistakes are not the concern here: surely you have to allow a mismatch between algorithms in parent and child to support algorithm rollovers. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ South Biscay, Southeast Fitzroy: Variable 4, becoming southwesterly 5 or 6. Rough or very rough. Fair. Good. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
