Re: [dane] Digest identifiers in -registry-acronyms-02

mrex@sap.com (Martin Rex) Wed, 11 December 2013 00:05 UTC

Return-Path: <mrex@sap.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C87F91AE2DC for <dane@ietfa.amsl.com>; Tue, 10 Dec 2013 16:05:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.552
X-Spam-Level:
X-Spam-Status: No, score=-6.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6wn5v9XC1CZa for <dane@ietfa.amsl.com>; Tue, 10 Dec 2013 16:05:25 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 06A7B1AE2D2 for <dane@ietf.org>; Tue, 10 Dec 2013 16:05:24 -0800 (PST)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id rBB05IW8012723 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 11 Dec 2013 01:05:18 +0100 (MET)
In-Reply-To: <CAL02cgSf03cNW6U89jQKrqXB9bQRRCYx+engEkR1ksi4RH6ysg@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Date: Wed, 11 Dec 2013 01:05:18 +0100 (CET)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20131211000518.1F78E1AB45@ld9781.wdf.sap.corp>
From: mrex@sap.com (Martin Rex)
X-SAP: out
Cc: "dane@ietf.org" <dane@ietf.org>
Subject: Re: [dane] Digest identifiers in -registry-acronyms-02
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Dec 2013 00:05:28 -0000

Richard Barnes wrote:
> 
> The digest identifiers in draft-ietf-dane-registry-acronyms-02 seem a
> little silly, in that nobody else in the world really seems to care that
> these are variants of SHA2.  The standard practice across many libraries is
> to just use some variant of "SHA-XXX", where XXX=256,384,512.

while sha224, sha256, sha384 and sha512 are members of the SHA2-Family,
they're not all the same algorithm, they use two seperate algorithms.

sha256 + sha224  use the same 32-bit algorithm
(different internal start value, output truncation for sha224)

   http://tools.ietf.org/html/rfc6234#section-5.1


sha512 + sha384  use the same 64-bit algorithm
(different internal start value, output truncation for sha384)

   http://tools.ietf.org/html/rfc6234#section-5.2


> 
> So I would suggest we just change these to "SHA-256" and "SHA-512".

In theory, reusing (or copying) an existing IANA registry would
be preferable to inventing yet another different variant.

Unfortunately, it seems that all variants already exist...

  TLS:      http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18

    0 	none 	Y 	[RFC5246]
    1 	md5 	Y 	[RFC5246]
    2 	sha1 	Y 	[RFC5246]
    3 	sha224 	Y 	[RFC5246]
    4 	sha256 	Y 	[RFC5246]
    5 	sha384 	Y 	[RFC5246]
    6 	sha512 	Y 	[RFC5246]

  PKIX/CMS: http://www.iana.org/assignments/hash-function-text-names/hash-function-text-names.xhtml

    "md2" 	1.2.840.113549.2.2 	[RFC3279]
    "md5" 	1.2.840.113549.2.5 	[RFC3279]
    "sha-1" 	1.3.14.3.2.26 	[RFC3279]
    "sha-224" 	2.16.840.1.101.3.4.2.4 	[RFC4055]
    "sha-256" 	2.16.840.1.101.3.4.2.1 	[RFC4055]
    "sha-384" 	2.16.840.1.101.3.4.2.2 	[RFC4055]
    "sha-512" 	2.16.840.1.101.3.4.2.3 	[RFC4055]

  IPSEC:    http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xhtml#ipsec-registry-6

    1 	MD5 	[RFC1321]
    2 	SHA 	[NIST, FIPS PUB 180-1: Secure Hash Standard, April 1995.]
    3 	Tiger 	[Anderson, R., and Biham, E., "Fast Software Encryption", Springer LNCS v. 1039, 1996.]
    4 	SHA2-256 	[Marcus_Leech][RFC4868]
    5 	SHA2-384 	[Marcus_Leech][RFC4868]
    6 	SHA2-512 	[Marcus_Leech][RFC4868]

  DKIM:     http://www.iana.org/assignments/dkim-parameters/dkim-parameters.xhtml#dkim-parameters-7

    sha1 	[FIPS-180-3-2008] 	active
    sha256 	[FIPS-180-3-2008] 	active

  DNSSEC/NSEC3:  http://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-parameters.xhtml#dnssec-nsec3-parameters-3

    0 	Reserved 	[RFC5155]
    1 	SHA-1 		[RFC5155]

  DNSSEC:    http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1

  Number  Description    Mnemonic
    5 	RSA/SHA-1 	RSASHA1 	Y  Y 	[RFC3110][RFC4034]
    6 	DSA-NSEC3-SHA1 	DSA-NSEC3-SHA1 	Y  Y 	[RFC5155][proposed standard]
    8 	RSA/SHA-256 	RSASHA256 	Y  * 	[RFC5702][proposed standard]
    9 	Reserved 				[RFC6725]
    10 	RSA/SHA-512 	RSASHA512 	Y  * 	[RFC5702][proposed standard]



RFC 4634 / 6234  http://tools.ietf.org/html/rfc6234#page-3

    4.1. SHA-224 and SHA-256
    4.2. SHA-384 and SHA-512


-Martin