[dnssec-deployment] DNSSEC in Russia

Sat Apr 4 02:03:48 EDT 2009

On Thu, 2 Apr 2009 19:38:07 -0400
 Steve Crocker <steve at shinkuro.com> wrote:

> > I think the goal is:
>   

Steve,
thank you,
you clearly defined the scope that was discussed.

Dima

> > 
> > (1)  for their zones, e.g. .ru, .su, and any new ones
> > they get, to be  signed with GOST,
> > 
> > (2) for everyone to be able to validate their signatures,
> > and
> > 
> > (3) for them to be able to validate everyone else's
> > signatures.
> > 
> > For (2), they need to promulgate their algorithms into
> > the standard  crypto libraries and have an algorithm
> > identifier assigned through  IANA.  I believe both of
> > these are in progress.
> > 
> > For (3), they simply need to use the standard algorithms
> > in their own  resolvers, and I believe they will be able
> > to do this comfortably.   We're talking about checking,
> > not signing, signatures, not encrypting.
> > 
> > Steve
> > 
> > On Apr 2, 2009, at 7:30 PM, Paul Hoffman wrote:
> > 
>   
>> > > At 6:49 PM -0400 4/2/09, Edward Lewis wrote:
>>     
>>> > >> This is why I am trying to go out of my way to make
>>>       
> > sure the  
>   
>>> > >> technology can be bent to accommodate a requirement
>>>       
> > laid upon us,  
>   
>>> > >> no matter what the source, so long as compliance is
>>>       
> > desirable.  Do  
>   
>>> > >> we want Russia to be able to use DNSSEC?  I think so.
>>>       
>> > >
>> > > Of course. The question at hand is not about them using
>>     
> > it, but how  
>   
>> > > their particular use affects the rest of us.
>> > >
>>     
>>> > >> I don't question requirements.  I'm willing to show
>>>       
> > how they are  
>   
>>> > >> best met, and let the owner of the requirement decide
>>>       
> > whether to  
>   
>>> > >> continue.
>>>       
>> > >
>> > > Fully agree.
>> > >
>> > > If their requirement is "our apex must be signed with
>>     
> > GOST", then  
>   
>> > > that's no problem: algorithm identifiers are cheap. If
>>     
> > their  
>   
>> > > requirement is "and everyone else must be able to
>>     
> > validate our  
>   
>> > > responses" or "and the level above our APEX must also
>>     
> > sign with  
>   
>> > > GOST", that is quite a different matter.
>> > >
>> > > --Paul Hoffman, Director
>> > > --VPN Consortium
>> > >
>> > >
>>     
> >
>   
#############################################################

>> > > This message is sent to you because you are subscribed
>>     
> > to
>   
>> > >  the mailing list <dnssec-deployment at shinkuro.com>.
>> > > To unsubscribe, E-mail to:
>>     
> > <dnssec-deployment-off at shinkuro.com>
>   
>> > > A public archive is available here:
>>     
> > <http://mail.shinkuro.com:8100/Lists/dnssec-deployment/ 
>   
>>> > > >
>>>       
>> > > and older material is at
>> > >
>>     
> >
>   
<http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>

> > 
>   