Why validation does not need special processing for FORMERLY-UNIVERSAL. The meaning of UNIVERSAL is that signers can mix and match algorithms for the set of algorithms tagged as UNIVERSAL.
The question then becomes how to remove an algorithm from UNIVERSAL. We cannot just reclassify an algorithm and expect that over night, zones are signed with a different algorithm. So FORMERLY-UNIVERSAL should mean: signers have stop using this as a UNIVERSAL algorithm as quickly as possible. However for validators, it still remains mandatory. An algorithm can remain FORMERLY-UNIVERSAL until we want to make the algorithm optional. So in the context of this draft, 5 and 7 should not be FORMERLY-UNIVERSAL. The first reason is that they never had the qualification UNIVERSAL in the first place, so there is no need to list them as FORMERLY-UNIVERSAL. The second is that from a security perspective they are bad enough that all signers should have moved away already and we cannot rely on wide spread implentation in validators. Suppose that in the future we want to get rid of RSASHA2 then we can mark RSASHA2 as FORMERLY-UNIVERSAL and keep it at that level until we want drop the requirement for RSASHA2 for validation support. This does require operators who use this draft to be somewhat agile and quickly (over a period of years, maybe even a decade) stop using algorithms that are listed as FORMERLY-UNIVERSAL. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
