On Wed, 9 Sep 2015, Viktor Dukhovni wrote:
I'd like to propose that with the introduction of the CFRG algorithms, we should deprecate:3 DSA/SHA1 DSA Y Y RFC3755 6 DSA-NSEC3-SHA1 DSA-NSEC3-SHA1 Y Y RFC5155 12 GOST R 34.10-2001 ECC-GOST Y * RFC5933 and as ideally also announce a sunset date for: 5 RSA/SHA-1 RSASHA1 Y Y RFC3110RFC4034 7 RSASHA1-NSEC3-SHA1 RSASHA1-NSEC3-SHA1 Y Y RFC5155 though of course these are rather widely used at present, it is time to start encouraging folks to move on.
Most people on 5 or 7 are only on it because their software does not support an algorithm roll (like current opendnssec). I'm not sure if declaring sunset will help them get un-stuck.
Once the CFRG algorithms are done, I would also publish an updated list of MTI algorithms for DNSSEC that would consist of: 8, 12 and both of the CFRG algorithms.
You listed 12 as both deprecate and MTI ?
The more secure of the two CFRG algorithms should be supported by clients, but should not yet be used by servers, concerns about post-QC crypto don't really apply to short-term signatures
I thought the whole point of QC was that it makes key discovery a trivial short brute force. It would be especially useful for short term signatures that otherwise couldn't have been broken in time (although I guess if you have QC, you do the root key first. Paul _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
