Earlier today Petr Špaček sent me an off-list comment that he intended to be on-list, and I want to promote it:
On Tue, Mar 28, 2017 at 05:20:52PM +0200, Petr Špaček wrote: > Here I have to agree with enforcing "MUST NOT". MD5 is a risk even on > the validating side. It might provide attacker with ability to forge > TLSA records in zones signed with MD5, which is has much worse > consequences than treating the zone as unsigned. It is a security > nightmare because validators supporting MD5 will treat this as valid and > happily accept forged certificates! This is a convincing argument, and I'm reconsidering my objections in light of it. -- Evan Hunt -- [email protected] Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
