On Thu, Jul 20, 2017 at 11:48 AM, Willem Toorop <wil...@nlnetlabs.nl> wrote:
> Op 20-07-17 om 10:45 schreef Shumon Huque: > > On Thu, Jul 20, 2017 at 10:39 AM, Ólafur Guðmundsson > > <ola...@cloudflare.com <mailto:ola...@cloudflare.com>> wrote: > > > > > > I disagree, if a zone operator selects "less-than" common algorithm > > they do that at their own risk, > > if the risk is not acceptable then it should dual sign.... > > > > > > Yes. The point I was trying to make is that DANE sites (and probably > > others if they care about security) cannot afford to fail open. So they > > have to dual sign if they can stomach the costs, or delay deploying new > > algorithms for a long time. This draft is intended to (eventually) make > > the dual signing case easier to deal with operationally. > > So, > > Providers of DANE backed services are stuck on the well-known > algorithms, and do not have insight on algorithm support by clients > verifying these services with DANE. > > This draft in combination with double signing, provides the means to > deal with this (and in a secure manner too). > > I think this is an important motivation of this work and that this > should be reflected in the Introduction section of the draft. > > -- Willem > Thank you Willem, and your point is noted. We will work on improving the introduction to address this. -- Shumon Huque
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
