Telechat Review of draft-ietf-dnsop-must-not-sha1-06
review-ietf-dnsop-must-not-sha1-06-secdir-telechat-nir-2025-04-13-00
| Request | Review of | draft-ietf-dnsop-must-not-sha1 |
|---|---|---|
| Requested revision | No specific revision (document currently at 06) | |
| Type | Telechat Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2025-05-20 | |
| Requested | 2025-03-31 | |
| Authors | Wes Hardaker , Warren Kumari | |
| I-D last updated | 2025-04-11 (Latest revision 2025-04-11) | |
| Completed reviews |
Dnsdir IETF Last Call review of -03
by Florian Obser
(diff)
Artart IETF Last Call review of -03 by Barry Leiba (diff) Secdir IETF Last Call review of -03 by Yoav Nir (diff) Genart IETF Last Call review of -03 by Behcet Sarikaya (diff) Dnsdir Telechat review of -05 by Florian Obser (diff) Opsdir Telechat review of -06 by Thomas Graf Secdir Telechat review of -06 by Yoav Nir |
|
| Assignment | Reviewer | Yoav Nir |
| State | Completed | |
| Request | Telechat review on draft-ietf-dnsop-must-not-sha1 by Security Area Directorate Assigned | |
| Posted at | https://mailarchive.ietf.org/arch/msg/secdir/YCagRk5T0qkbi_3hlfRT6ddiU7A | |
| Reviewed revision | 06 | |
| Result | Ready | |
| Completed | 2025-04-13 |
review-ietf-dnsop-must-not-sha1-06-secdir-telechat-nir-2025-04-13-00
The document is fine as it is. I will say that the Security Considerations section is a bit strange: This document deprecates the use of RSASHA1 and RSASHA1-NSEC3-SHA1 signatures since they are no longer considered to be secure. But that is a common problem with documents like this that deprecate existing algorithms or protocol options for security reasons. Some documents got around this by claiming that the whole document is security considerations. For example, a draft of RFC 7568 (deprecating SSLv3) said: This entire document aims to improve security by prohibiting the use of a protocol that is not secure. But they toned it down for the final RFC. Anyway, it's fine as it is.