On 23. 07. 25 14:33, Philip Homburg wrote:
For existing algorithms, we could punt. Or introduce new aliases/numbers
(which I know some folks don't like, though we've done that successfully
with algs 6 and 7 for NSEC3), or target a future flag date for enforcement
(and I know some folks hate flag days - Paul Wouters gave me a tshirt on
that subject this week! :)
In my opinion the thing to do now is publish a BCP that signers have to
avoid collisions (and other reasons for bad signatures)
That will have about the same effect (and with a lot less hassle) as issuing
new code points for existing algoritms.
We don't need a flag day. Validators can tolerate a few signature validation
errors. The main thing is that with a BCP it is clearly an error on the
side of the signer. Now it s something that is allowed by the protocol (and
even expected to some extent from naive signers).
I agree with what Philip said. Setting expectation what collisions might
not work is good enough. No need to jump through hoops with code points
as it is just more code to write for no benefit.
--
Petr Špaček
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
