On Nov 1, 2018, at 8:18 AM, A. Schulze <[email protected]> wrote: > > > > Am 01.11.18 um 00:03 schrieb Wessels, Duane: >> I think you might be the first person to argue for supporting multiple >> ZONEMD algorithms per zone. I actually expected more. > > I remember Stephen Farrell saying something like "while designing new > protocols, algorithm agility is an important point" > We see the results today in DKIM and DNSSEC. It's really hard to change > crypto primitives.
The current ZONEMD draft fully supports algorithm agility. What it doesn't support is multiple hashes *within a single message*. Having seen how easy it is to screw up OpenPGP and S/MIME message processing to handle multiple hashes, I think having one hash per zone is much more likely to work. --Paul Hoffman
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
