>This is not the terminology used in the draft: > >- UNIVERSAL relates to ubiquitous support in validators; >- FORMERLY-UNIVERSAL relates to formerly ubiquitous support in validators. > >Even though algorithm 13 is now UNIVERSAL in that sense, it's entirely possibl >e for some signer to still use an HSM that only supports algorithm 8, not 13. > >Thus, this terminology is *not* about signers here. If you'd like to discuss g >eneral support in signers, let's use different words for that, as to not get e >ntirely confused.
In my opinion, this draft uses a wrong life-cycle model. Maybe we need to introduce something like Steve's model first. This draft seems to have as implict model that as soon as an algorithm is no longer UNIVERSAL, validators can completely drop support. I think that is the wrong approach. The problem with the validation requirement for FORMERLY-UNIVERSAL in the current draft is that if a zone is dual signed with both RSASHA1(5) and RSASHA256(8) then if a validator does not support RSASHA1, it has to consider the zone insecure. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
