Re: [sidr] GOST & SIDR

To: Randy Bush <randy at psg.com>
Subject: Re: [sidr] GOST & SIDR
From: Samuel Weiler <weiler+lists.sidr at watson.org>
Date: Mon, 20 Apr 2009 18:41:08 -0400 (EDT)
Cc: sidr at ietf.org
Delivered-to: sidr at core3.amsl.com
In-reply-to: <m2tz4jc6ti.wl%randy at psg.com>
List-archive: <http://www.ietf.org/mail-archive/web/sidr>
List-help: <mailto:sidr-request@ietf.org?subject=help>
List-id: Secure Interdomain Routing <sidr.ietf.org>
List-post: <mailto:sidr@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
References: <D556D856-C2C3-4D60-BD8C-472619375DFB at tcb.net> <49DA347E.8010801 at burkov.aha.ru> <alpine.BSF.2.00.0904161158110.27241 at fledge.watson.org> <m2ocuwtdgi.wl%randy at psg.com> <alpine.BSF.2.00.0904171136500.30042 at fledge.watson.org> <m2tz4jc6ti.wl%randy at psg.com>
User-agent: Alpine 2.00 (BSF 1167 2008-08-23)

On Mon, 20 Apr 2009, Randy Bush wrote:

I'm asking "will RPKI partcipants who want to use algorithmsdifferent from the norm and/or their parents be able to do sowithout any bad effects"?
no
Using strange algorithms may well mean that most relying partiescan't verify the certificates, but that's to be expected.
i hope you do not think this is acceptable or useful.

Strangely enough, I do think it's useful, or at least not harmful, butI'm interested in hearing your perspective.

Here's my perspective, informed in part by Dmitry's comments both hereand on DNS-related lists:

There may (or will) be communities that WILL NOT sign with (=issuecertificates signed by) algorithm X (=RSA). They might happily signwith algorithm Y (=GOST). Some parts of the world (=that samecommunity plus some) will be able to verify Y certificates and willgain utility from them, perhaps by authenticating route originationsfrom within that community. To the parts of the world that can'tverify algorithm Y certificates, hopefully it will be as though suchcerts were never issued which, if you assume incremental deployment,isn't so very bad.

So I do assume a world of partial deployment, and I assume that havingno certificates issued won't cut you off from the rest of the net.And I assume that having only algorithm Y certificates is no worsethan having none at all.


Where do you think I've gone astray?

-- Sam

Follow-Ups:
- Re: [sidr] GOST & SIDR
  - From: Stephen Kent
- Re: [sidr] GOST & SIDR
  - From: Randy Bush

References:
- [sidr] GOST & SIDR
  - From: Danny McPherson
- Re: [sidr] GOST & SIDR
  - From: Dmitry Burkov
- Re: [sidr] GOST & SIDR
  - From: Samuel Weiler
- Re: [sidr] GOST & SIDR
  - From: Randy Bush
- Re: [sidr] GOST & SIDR
  - From: Samuel Weiler
- Re: [sidr] GOST & SIDR
  - From: Randy Bush

Prev by Date: Re: [sidr] GOST & SIDR
Next by Date: Re: [sidr] GOST & SIDR
Previous by thread: Re: [sidr] GOST & SIDR
Next by thread: Re: [sidr] GOST & SIDR
Index(es):
- Date
- Thread

Re: [sidr] GOST & SIDR

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.