[145357] in cryptography@c2.net mail archive
Re: Root Zone DNSSEC Deployment Technical Status Update
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Sun Jul 18 10:21:41 2010
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <AANLkTinPUgBf41nZacjdhPf5CmsqxFPUx1x7xMj5At79@mail.gmail.com>
Date: Sun, 18 Jul 2010 07:19:18 -0400
Cc: Paul Wouters <paul@xelerance.com>, "Perry E. Metzger" <perry@piermont.com>,
cryptography@metzdowd.com
To: Taral <taralx@gmail.com>
On Jul 17, 2010, at 3:30 05PM, Taral wrote:
> On Sat, Jul 17, 2010 at 7:41 AM, Paul Wouters <paul@xelerance.com> =
wrote:
>>> Several are using old SHA-1 hashes...
>>=20
>> "old" ?
>=20
> "old" in that they are explicitly not recommended by the latest specs
> I was looking at.
DNSSEC signatures do not need to have a long lifetime; no one cares if, =
in 10 years, someone can find a preimage attack against today's signed =
zones. This is unlike many other uses of digital signatures, where you =
may have to present evidence in court about what some did or did not =
sign.
It's also unclear to me what the actual deployment is of stronger =
algorithms, or of code that will do the right thing if multiple =
signatures are present.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
