At 12:57 PM -0500 2/11/10, Stephen Kent wrote: >I recommend that the document not be approved by the IESG in its current form. > Section 6.1 states: > >>6.1. Support for GOST signatures >> >> DNSSEC aware implementations SHOULD be able to support RRSIG and >> DNSKEY resource records created with the GOST algorithms as >> defined in this document. > >There has been considerable discussion on the security area directorate list >about this aspect of the document. All of the SECDIR members who participated >in the discussion argued that the text in 6.1 needs to be changed to MAY from >SHOULD. The general principle cited in the discussion has been that "national" >crypto algorithms like GOST ought not be cited as MUST or SHOULD in standards >like DNESEC. I refer interested individuals to the SECDIR archive for details >of the discussion. > >(http://www.ietf.org/mail-archive/web/secdir/current/maillist.html)
As usual, I agree completely with Steve Kent. Further, I note that while there was consensus in the DNSEXT WG to put this document on standards track, there was no such consensus for making every DNSSEC implementation come under a new SHOULD-level requirement. --Paul Hoffman, Director --VPN Consortium _______________________________________________ Ietf mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf
