Re: [dane] Digest Algorithm Agility discussion
Viktor Dukhovni <viktor1dane@dukhovni.org> Sun, 23 March 2014 18:21 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 835371A6FF9 for <dane@ietfa.amsl.com>; Sun, 23 Mar 2014 11:21:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n0gWaz2rr5eP for <dane@ietfa.amsl.com>; Sun, 23 Mar 2014 11:21:09 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id E93A71A6FF8 for <dane@ietf.org>; Sun, 23 Mar 2014 11:21:08 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 390CE2AB250; Sun, 23 Mar 2014 18:21:07 +0000 (UTC)
Date: Sun, 23 Mar 2014 18:21:07 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140323182106.GX24183@mournblade.imrryr.org>
References: <20140315051704.GY21390@mournblade.imrryr.org> <0l4n2sa5a0.fsf@wjh.hardakers.net> <20140322074737.GA5739@anguilla.noreply.org> <20140323174205.63C6111B2111@rock.dv.isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20140323174205.63C6111B2111@rock.dv.isc.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/oo2pyGZswQunR7QgxFtigs_fdPA
Subject: Re: [dane] Digest Algorithm Agility discussion
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Mar 2014 18:21:11 -0000
On Mon, Mar 24, 2014 at 04:42:05AM +1100, Mark Andrews wrote: > Truly, we do not know which of SHA256 and SHA512 will be broken > first. Both are more than strong enough for this job at this point > in time. Agree with this 100%. > When one is broken it will no longer be strong enough. > Neither will be broken by brute force. They will be broken by > discoveries of flaws in the algorithms. We support multiple > algorithms so that when/if one is broken we do not end up in a > situation of having no trusted algorithms supported. I assume that once the SHA3 (aka Keccac) specification is finally published by NIST, there will be a DANE-related draft registering at least two new matching type algorithms for TLSA records: 3 SHA3-256 4 SHA3-512 At that point, a client evaluating a TLSA RRset will have a real choice, for example: SHA2-256 vs. SHA3-256. The reason the SHA3 competition was held and the Keccac sponge construction was selected, is that with MD5 and SHA1 looking broken and vulnerable respectively, there was a desire to find new hash primitives that are based on new ideas. So SHA3 is essentially our insurance policy on further progress against the similar SHA1 and SHA2 designs. While for now progress along these lines appears to be stalled, it is not unreasonable to admit the *possibility* that it might resume again. Initially, clients may be configured to prefer SHA2-256 (which is both mandatory to implement and has stood the test of time). However, later if there is any trouble on the SHA2 front, the client can be updated to prefer SHA3 (when published by the server) to SHA2. The proposed specification provides a transition mechanism with no flag day, algorithms can be deprecated (relative to more preferred algorithms) without being disabled. If a server publishes: SHA2-256 SHA2-512 SHA3-256 And the client's preference order is (best to worst): SHA3-256, SHA2-512, SHA2-256, then the client will only evaluate the TLSA records with SHA3-256 digests and if none match, authentication fails. Today the client can prefer: SHA2-256, SHA2-512 And, since both are currently believed well out of reach of even state-funded adversaries, save itself the wasted cycles of computing SHA2-512 when both are published. The point of Wes's choice "B" is that clients don't have to impose a flag on themselves and drop weakened algorithms entirely, given that many servers may not be publishing anything stronger. Instead with "B", the client uses the strongest mutually available option. -- Viktor.
- [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Paul Wouters
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Paul Hoffman
- Re: [dane] Digest Algorithm Agility discussion Paul Wouters
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Paul Hoffman
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Paul Wouters
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Paul Hoffman
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Martin Rex
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Mark Andrews
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion (c… Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Jim Schaad
- Re: [dane] Digest Algorithm Agility discussion (c… Paul Hoffman
- Re: [dane] Digest Algorithm Agility discussion (c… Andrew Sullivan
- Re: [dane] Digest Algorithm Agility discussion (c… Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion (c… Scott Rose
- Re: [dane] Digest Algorithm Agility discussion (c… Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion (c… Scott Rose
- Re: [dane] Digest Algorithm Agility discussion Wes Hardaker
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Peter Palfrader
- Re: [dane] Digest Algorithm Agility discussion Mark Andrews
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Mark Andrews
- Re: [dane] Digest Algorithm Agility discussion Peter Palfrader
- Re: [dane] Digest Algorithm Agility discussion Mark Andrews
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Peter Palfrader
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Mark Andrews
- Re: [dane] Digest Algorithm Agility discussion Mark Andrews
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Paul Wouters
- Re: [dane] Digest Algorithm Agility discussion Viktor Dukhovni
- Re: [dane] Digest Algorithm Agility discussion Peter Palfrader
- Re: [dane] Digest Algorithm Agility discussion Wes Hardaker
- Re: [dane] Digest Algorithm Agility discussion Wes Hardaker