evan hunt of isc just spoke at the microphones and said "an md5 validator implementation that isn't used isn't hurting anybody." on pressure of time, the microphones had closed, so i'm commenting here.
i disagree. all code has bugs, eventually. or at least, there is no existence proof to the contrary, and also, no reason to suspect otherwise. so, code that is not used will not be reviewed or maintained. it's a risk, just by existing. also, a validator that outputs "secure" based on MD5 inputs is making a promise it can't keep. noone should believe such an output, but there is no way to signal such a policy -- other than by removing the code point, and the code that implements it. -- P Vixie _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
