Roman Danyliw has entered the following ballot position for draft-ietf-dnsop-must-not-sha1-06: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dnsop-must-not-sha1/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you to Behcet Sarikaya for the GENART review. ** Section 1 and 2. -- Section 1. “Further, support for validating SHA-1 based signatures has been removed from some systems.” -- Section 2. “Validating resolver implementations MUST continue to support validation using these algorithms as they are diminishing in use but still actively in use for some domains as of this publication.” Are these text snippets saying that implementation have already chosen to drop SHA-1 support, despite this draft saying it should not be? ** Section 1. As adequate alternatives exist, the use of SHA-1 is no longer advisable. Doesn’t Section 2 say something much stronger than “no longer advisable”. It uses “MUST NOT”. ** Section 3. This document deprecates the use of RSASHA1 and RSASHA1-NSEC3-SHA1 signatures since they are no longer considered to be secure. Isn’t this imprecise? The prior seems to leave wide latitude to validating resolvers to continue to validate SHA1-based signatures. Maybe NEW (roughly) This document deprecates the use of RSASHA1 and RSASHA1-NSEC3-SHA1 signatures in new DNSSEC records since these algorithms are no longer considered to be secure. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
