On Mon, 11 Apr 2022, zhangcuiling wrote:
And the main purpose is to improve the diversity of DNSSEC algorithms, and to make it convenient for people who want to use SM2 digital signature algorithm as an alternative for DNSSEC.
We actually want to prevent as much diversity as we can, to avoid creating more new long tails of deployment of algorithms. So a new algorithm should really offer something the others do not. Also having a number of ECC based algorithms would likely mean if one ends up broken, all of them end up broken. So based on: Due to the similarity between SM2 and ECDSA with curve P-256, some of the material in this document is copied liberally from RFC 6605 [RFC6605]. I don't see a strong reason to adopt another ECC type of algorithm. Additionally, in this case SM2/SM3 seems to be ISO standards that are not freely available, so these are additionally problematic. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop