Re: [Cfrg] What crypto algorithm is referenced most in RFCs?

David McGrew <mcgrew@cisco.com> Fri, 17 June 2011 18:30 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BF4F9E8023 for <cfrg@ietfa.amsl.com>; Fri, 17 Jun 2011 11:30:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wU-iioqSS3c9 for <cfrg@ietfa.amsl.com>; Fri, 17 Jun 2011 11:30:08 -0700 (PDT)
Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by ietfa.amsl.com (Postfix) with ESMTP id 6076D9E8017 for <cfrg@irtf.org>; Fri, 17 Jun 2011 11:30:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mcgrew@cisco.com; l=3428; q=dns/txt; s=iport; t=1308335408; x=1309545008; h=cc:message-id:from:to:in-reply-to: content-transfer-encoding:mime-version:subject:date: references; bh=Q9ptxAGx1+Dz8T6a+kOPCjb3LFxDOx3cAaYveK/WHiU=; b=B76ib8SNbOzgbgNpE/uQd4F4brVBm1gNFSCVnUqhjlvc7kpDOoKbwRfP 34gMWdWBk0f3KhsyRojL22un8W2HlXY4SZGxMoLlD5F/Oddu+hoAtwGD4 +c8/latYop3OjE9NvYMp2Ma0Ftc8V2eYRcGVKE+PHvEwI5VtszYbL0/yU g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av0EAAKd+02rRDoI/2dsb2JhbABEDqZQd6lsnXqDGoMNBIcgij6QHQ
X-IronPort-AV: E=Sophos;i="4.65,382,1304294400"; d="scan'208";a="379333799"
Received: from mtv-core-3.cisco.com ([171.68.58.8]) by sj-iport-2.cisco.com with ESMTP; 17 Jun 2011 18:29:53 +0000
Received: from stealth-10-32-254-211.cisco.com (stealth-10-32-254-211.cisco.com [10.32.254.211]) by mtv-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id p5HITqGY009911; Fri, 17 Jun 2011 18:29:52 GMT
Message-Id: <74993A34-C2B3-4FA9-B27B-557AD0E3F7BB@cisco.com>
From: David McGrew <mcgrew@cisco.com>
To: Joachim@Strombergson.com
In-Reply-To: <4DF8627B.1030702@Strombergson.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed; delsp=yes
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Apple Message framework v936)
Date: Fri, 17 Jun 2011 11:29:51 -0700
References: <4A7C9D3B-70C6-4D14-A5D8-F54D84DBBEA9@cisco.com> <4DF6FCAD.1000704@Strombergson.com> <4DF7E236.3060603@ieca.com> <CF0765AF-383F-423F-A8CC-10AEB4A3E348@callas.org> <4DF8627B.1030702@Strombergson.com>
X-Mailer: Apple Mail (2.936)
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] What crypto algorithm is referenced most in RFCs?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jun 2011 18:30:09 -0000

Hi Joachim,

+1 on the idea of making sure that current I-Ds that mention MD5 are  
aware   Probably this could be done by crafting a short paragraph  
saying something like "We noticed that your RFC references MD5; please  
be aware that it is not recommended for new protocols (see RFC6151).   
We suggest that your work not make use of MD5.  If it is necessary to  
use MD5 for compatibility with existing implementations, we ask that  
you cite RFC6151."   (Comments and wordsmithing welcome.)

The first of the current drafts that I looked at was draft-zorn-emu- 
team-02, and it includes TLS_RSA_WITH_RC4_128_MD5 as a SHOULD, and it  
doesn't cite 6151.   So I think the message would help.

David

On Jun 15, 2011, at 12:42 AM, Joachim Strömbergson wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Aloha!
>
> On 2011:06:15 1:59, Jon Callas wrote:
>>>> Would it be fruitful to browse the list try and identify the
>>>> most pressing cases and try to convince the authors that they
>>>> should mend their ways?
>>
>>> Actually, it would.
>>
>> I disagree. What would be helpful would be to identify
>> *implementations* that should mend their ways. The map is not the
>> territory. The RFCs are the maps; the implementations are the
>> territories. If you change the map so that it represents an idealized
>> reality, it's not the same thing as a fixed reality. I think reality
>> is better than this survey of maps indicates.
>
> Jon, I'm sorry for not being more clear. What I was implicitly  
> referring
> to was the lists of active drafts, not RFCs. I agree that for RFCs  
> it is
> more important to look at implementations.
>
> But the drafts has not yet become the map. Fixing errors in the map to
> be before it is printed isn't that better than waiting until it has  
> been
> printed and in use?
>
> We basically have two different problems:
> (1) Help implemementations to migrate from algorithms we don't trust
> anymore to the algorithms we trust, algorithms specified in updated
> versions of the map.
>
> (2) Help map developers avoid specifying use of the bad algorithms so
> that new implementations don't end up using bad algorithms in the  
> first
> place.
>
> More understandable? And agreeable?
>
> - --
> Med vänlig hälsning, Yours
>
> Joachim Strömbergson - Alltid i harmonisk svängning.
> = 
> = 
> ======================================================================
> Kryptoblog - IT-säkerhet på svenska
> http://www.strombergson.com/kryptoblog
> = 
> = 
> ======================================================================
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk34YnsACgkQZoPr8HT30QGNQgCfRC9Nm/5o1FcGfoTB+sdRQ2ch
> 728AoO2gDDaj9T5uV9VpHiTy2yfentZT
> =Uxo/
> -----END PGP SIGNATURE-----
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg