Re: [dane] Digest Algorithm Agility discussion

Viktor Dukhovni <> Sun, 23 March 2014 20:28 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 364011A09E1 for <>; Sun, 23 Mar 2014 13:28:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.1
X-Spam-Status: No, score=0.1 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, J_CHICKENPOX_12=0.6] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id X8AQob5LV_pH for <>; Sun, 23 Mar 2014 13:28:33 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 748AC1A09D2 for <>; Sun, 23 Mar 2014 13:28:33 -0700 (PDT)
Received: by (Postfix, from userid 1034) id DF9002AB137; Sun, 23 Mar 2014 20:28:31 +0000 (UTC)
Date: Sun, 23 Mar 2014 20:28:31 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Subject: Re: [dane] Digest Algorithm Agility discussion
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 23 Mar 2014 20:28:36 -0000

On Sun, Mar 23, 2014 at 09:00:08PM +0100, Peter Palfrader wrote:

> On Mon, 24 Mar 2014, Mark Andrews wrote:
> > > Site A only publishes SHA1 entries.  Would rather do unauthenticated TLS
> > > than trust SHA1?
> > 
> > You left out - report and refuse to send until fixed.
> No, that's not what the SMTP draft suggests.  When DANE is not there,
> then servers just fall back to not authenticating a peer's cert, as they
> do nowadays.

Indeed if one simply considers (again hypothetically) SHA1 to be
"unusable", then with no "usable" TLSA records, the connection
would fall back to unauthenticated TLS.

To do what Mark suggests, we'd have to treat SHA1 as usable, but
always fails.  That is new code to make SHA1 never match.  And
still I don't see anyone shooting themselves in the foot with
self-imposed flag days for a long time after an algorithm becomes

I sees that, the unstated objection must be a belief that SHA2-256
will never fail, and thus we're wasting time designing solutions
to a non-problem.  While I don't believe in eternal unbounded
progress, and (barring a P=NP revolution) it is likely that at some
point we'll have algorithms that never need replacement, it is
perhaps premature to declare mission-complete with SHA2.

For if we are to take the threat of gradual degradation of our
confidence in SHA2 seriously, we need usable approaches for phasing
it out.  Flag days don't look like usable approaches to me.