add text regarding crypto-agility

author: Martin Schanzenbach <mschanzenbach@posteo.de> 2020-07-06 17:30:56 +0200
committer: Martin Schanzenbach <mschanzenbach@posteo.de> 2020-07-06 17:30:56 +0200
commit: 733e4800f6c132f1030df604cecb940d9ec38576 (patch)
tree: a05fcd4411880f203ab47e738a165f784b64a602
parent: 432eece15b77ea870ba2081a0f245054e8dc093e (diff)
download: lsd0001-733e4800f6c132f1030df604cecb940d9ec38576.tar.gz
lsd0001-733e4800f6c132f1030df604cecb940d9ec38576.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
index 9233976..a4fa4ed 100644
--- a/draft-schanzen-gns.xml
+++ b/draft-schanzen-gns.xml
@@ -1472,6 +1472,13 @@ example.com = zk2
           ECDSA.  GNS uses 256-bit curves because that way the encoded (public)
           keys fit into a single DNS label, which is good for usability.
         </t>
+         <t>
+           In terms of crypto-agility, whenever the need for an updated cryptographic
+           scheme arises to replace ECDSA over Curve25519 it may simply be introduced
+           through a new record type. Such a new record type may then replace
+           the PKEY record type for future records. The old record type remains
+           and zones can iteratively migrate to the updated zone keys.
+         </t>
       </section>
       <section anchor="security_abuse" numbered="true" toc="default">
         <name>Abuse mitigation</name>
author	Martin Schanzenbach <mschanzenbach@posteo.de>	2020-07-06 17:30:56 +0200
committer	Martin Schanzenbach <mschanzenbach@posteo.de>	2020-07-06 17:30:56 +0200
commit	733e4800f6c132f1030df604cecb940d9ec38576 (patch)
tree	a05fcd4411880f203ab47e738a165f784b64a602
parent	432eece15b77ea870ba2081a0f245054e8dc093e (diff)
download	lsd0001-733e4800f6c132f1030df604cecb940d9ec38576.tar.gz lsd0001-733e4800f6c132f1030df604cecb940d9ec38576.zip

diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml index 9233976..a4fa4ed 100644 --- a/draft-schanzen-gns.xml +++ b/draft-schanzen-gns.xml
@@ -1472,6 +1472,13 @@ example.com = zk2
1472	ECDSA. GNS uses 256-bit curves because that way the encoded (public)	1472	ECDSA. GNS uses 256-bit curves because that way the encoded (public)
1473	keys fit into a single DNS label, which is good for usability.	1473	keys fit into a single DNS label, which is good for usability.
1474	</t>	1474	</t>
		1475	<t>
		1476	In terms of crypto-agility, whenever the need for an updated cryptographic
		1477	scheme arises to replace ECDSA over Curve25519 it may simply be introduced
		1478	through a new record type. Such a new record type may then replace
		1479	the PKEY record type for future records. The old record type remains
		1480	and zones can iteratively migrate to the updated zone keys.
		1481	</t>
1475	</section>	1482	</section>
1476	<section anchor="security_abuse" numbered="true" toc="default">	1483	<section anchor="security_abuse" numbered="true" toc="default">
1477	<name>Abuse mitigation</name>	1484	<name>Abuse mitigation</name>