Re: [Cfrg] What crypto algorithm is referenced most in RFCs?

[Simon Josefsson <simon@josefsson.org>]

Jon Callas <jon@callas.org> writes:

> I disagree. What would be helpful would be to identify
> *implementations* that should mend their ways. The map is not the
> territory. The RFCs are the maps; the implementations are the
> territories. If you change the map so that it represents an idealized
> reality, it's not the same thing as a fixed reality. I think reality
> is better than this survey of maps indicates.

+1

Use of DES/RC2/MD4 is still not uncommon.

> If you want to have a positive effect on the world with the minimum
> windmill-tilting, go find the RFCs that do not have reasonable
> extensions. Continuing my example, something that is using (e.g.) bare
> MD5 with no option for SHA2. Update that RFC to have SHA2 as a MAY,
> and then poke the implementers to migrate on their own. I can think of
> a few things I might pursue (CRAM-MD5 springs to mind), but focus your
> righteous anger on the implementations that are screwing up and then
> on the implementations that are doing something half-assed because the
> only option they have is to do something half-assed. Write the new RFC
> for them with something full-assed.

For CRAM-MD5 to fall, I think you need to show that there are practical
attacks on HMAC-MD5.  As far as I recall this hasn't been done yet.

I'm more concerned with DIGEST-MD5.  I'm not sure significant number of
people in the crypto community bothers to study it.  However DIGEST-MD5
is widely implemented and used.

Fortunately, we have SCRAM to replace them both. :-)

/Simon