> We'd like to hear both support for and technical objections to the > Nutshell Proof of Sanity, so we can put subsequent work on more > solid footing.
The 'Nutshell Proof of Sanity' is trivially true with the current DNSSEC validation rules. If a validator does not support certain algorithms and it comes across a DS RRsets that consists of only unsupported algorithms then the validator treats the child zone as insecure. The 'Nutshell Proof of Sanity' states that same thing for a more narrow set of algorithms (only those that must be implemented by validators) where the current rules apply to all algorithms. However, I don't see how this 'Nutshell Proof of Sanity' can be applied to the topic at hand. Direct application of the proof would make RSA/SHA1 a universal algorithm. Or, the other way around, if RSA/SHA1 is not a universal algorithm then there is some other property that plays a role and that makes the proof less relevant. As far as I know, the previous discussion was about FORMERLY-UNIVERSAL algorithms. I now think that 'FORMERLY-UNIVERSAL' is the wrong concept. It is not that the rules for FORMERLY-UNIVERSAL are wrong, it is that FORMERLY-UNIVERSAL is the wrong way to classify algorithms that were once UNIVERSAL. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
