Re: [COSE] Barry Leiba's Yes on draft-ietf-cose-hash-algs-04: (with COMMENT)

[Jim Schaad <ietf@augustcellars.com>]

-----Original Message-----
From: Roman Danyliw <rdd@cert.org> 
Sent: Monday, June 8, 2020 8:13 PM
To: Jim Schaad <ietf@augustcellars.com>; 'Barry Leiba' <barryleiba@computer.org>; 'The IESG' <iesg@ietf.org>
Cc: 'Ivaylo Petrov' <ivaylo@ackl.io>; cose-chairs@ietf.org; draft-ietf-cose-hash-algs@ietf.org; cose@ietf.org
Subject: RE: Barry Leiba's Yes on draft-ietf-cose-hash-algs-04: (with COMMENT)

Hi Jim!

> -----Original Message-----
> From: iesg <iesg-bounces@ietf.org> On Behalf Of Jim Schaad
> Sent: Tuesday, June 2, 2020 3:17 PM
> To: 'Barry Leiba' <barryleiba@computer.org>; 'The IESG' 
> <iesg@ietf.org>
> Cc: 'Ivaylo Petrov' <ivaylo@ackl.io>; cose-chairs@ietf.org; 
> draft-ietf-cose-hash- algs@ietf.org; cose@ietf.org
> Subject: RE: Barry Leiba's Yes on draft-ietf-cose-hash-algs-04: (with 
> COMMENT)
> 
> 
> 
> -----Original Message-----
> From: Barry Leiba via Datatracker <noreply@ietf.org>
> Sent: Monday, June 1, 2020 9:33 PM
> To: The IESG <iesg@ietf.org>
> Cc: draft-ietf-cose-hash-algs@ietf.org; cose-chairs@ietf.org; 
> cose@ietf.org; Ivaylo Petrov <ivaylo@ackl.io>; ivaylo@ackl.io
> Subject: Barry Leiba's Yes on draft-ietf-cose-hash-algs-04: (with 
> COMMENT)
> 
> Barry Leiba has entered the following ballot position for
> draft-ietf-cose-hash-algs-04: Yes
> 
> When responding, please keep the subject line intact and reply to all 
> email addresses included in the To and CC lines. (Feel free to cut 
> this introductory paragraph, however.)
> 
> 
> Please refer to 
> https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-cose-hash-algs/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------

[snip]

>    The standard "Collision Attack" is one where an attacker can
>    find two different messages that have the same hash value.  If a
>    collision attack exists, then the function SHOULD NOT be used for a
>    cryptographic purpose.
> 
> I’m uncomfortable with having this document give a brief tutorial on 
> cryptographic hashing, as it has to be oversimplified... and it is.  
> If it’s going to stay, I’d like to see ar least one minor change, 
> though I’ll defer to the Sec ADs on this point: for any hash alg, it 
> is always possible to encounter a collision, and the text isn’t clear about what “if a collision attack exists”
> really means.  I think it means not to use it if a collision attack is 
> practical, and maybe this is a better way to say it?:
> 
> NEW
>    A "collision attack" is one where an attacker can
>    find two different messages that have the same hash value.  A
>    hash function that is susceptible to collision attacks, SHOULD
>    NOT be used for cryptographic purposes.
> END
> 
> [JLS] Done.  Given how fast we are at getting hash algorithms changed, 
> I don't know that the trigger I would use is that the attack is 
> practical.  Just the ability to find a collision at all is the trigger 
> that we need to start changing the hash algorithms we are using.  
> People have talked about SHA-1 collisions for the last twenty years, 
> but only in the last two have they become practical.  Should we be suggesting the SHOULD earlier than 2017?

Perhaps we simply state the guiding design principal.  Say:

A "collision attack" is one where an attacker can find two different messages that have the same hash value.  A hash function that is susceptible to practical collision attacks SHOULD NOT be used for cryptographic purposes.  The discovery of theoretical collision attacks against a given hash function SHOULD trigger a review of the continued suitability of the algorithm if alternatives are available and migration is viable.
[JLS] That makes sense.

Regards,
Roman