On 11 Apr 2016, at 12:34, Evan Hunt wrote:
On Mon, Apr 11, 2016 at 03:15:47PM -0400, Paul Wouters wrote:
Based on the above stats, I'd still prefer it to go away completely.
I have no objection to eliminating it from signers, and it's okay
with me to leave it optional for validators, but that puts it to
the level of MAY, not MUST NOT. I don't think it should go to MUST
NOT unless merely *being able* to validate MD5 signatures is itself
dangerous, and I don't believe that's the case.
Evan has a good point here: if an algorithm is not actively harmful to a
validator, anything lower than MAY seems inappropriate. The fact that a
signing with an algorithm might expose the signer's private key (which
is not the case here now, but could be in the future) is only a security
risk for the signer, not for the validator.
So, +1 to no algorithms in the "validator" column being SHOULD NOT or
MUST NOT.
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
