IETF Logo Mail Archive

Re: [Dcrup] rsa-sha1 proposals

Hector Santos <hsantos@isdg.net> Tue, 20 June 2017 22:47 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB378127275 for <dcrup@ietfa.amsl.com>; Tue, 20 Jun 2017 15:47:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=k7+t5ioh; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=KV/yRCCq
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BplNrGlVXTRf for <dcrup@ietfa.amsl.com>; Tue, 20 Jun 2017 15:47:42 -0700 (PDT)
Received: from listserv.winserver.com (catinthebox.net [76.245.57.69]) by ietfa.amsl.com (Postfix) with ESMTP id 62940126C0F for <dcrup@ietf.org>; Tue, 20 Jun 2017 15:47:42 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=926; t=1497998853; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=EwXCZsmt2rySdMS4Tz66qcJdgyY=; b=k7+t5iohodKK0rT3qB5H9nFUANJLzPwTbcKloYVCg6oricxAw2TGpIDhsaHbP9 tsxqH5Ycv7J2dHA0Rl/Hjfl13szo4mJQIkZoygr0l2kTSEy/NAw1orJA8RjoZCLV PC977AoL4CiDYPhmzAt7OVURX5tejmeOHJsnTgsDiaWhg=
Received: by winserver.com (Wildcat! SMTP Router v7.0.454.5) for dcrup@ietf.org; Tue, 20 Jun 2017 18:47:33 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=pass policy=all author.d=isdg.net asl.d=beta.winserver.com;
Received: from beta.winserver.com ([76.245.57.74]) by winserver.com (Wildcat! SMTP v7.0.454.5) with ESMTP id 2357732489.1.1944; Tue, 20 Jun 2017 18:47:32 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=926; t=1497998649; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=zLE5K1+ ch8niuPcKTelpaYmKODjHDuHmI487OXdtbJU=; b=KV/yRCCq1+L9Sge3OWXfOUo i8h21drO9J+BEwkSm/wMmVQSJ00TgfehGlWYXH5ZlCVMC3rKvYpE9VxsILJUYR4b xriXmVsuJ7X+VQ9QV7JJhfiOWy/PkHwgtxg79mcaz1zAue/m6ps6ECMxHScGtPs7 WxgaYBROXjCwtKqXyQwk=
Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.5) for dcrup@ietf.org; Tue, 20 Jun 2017 18:44:09 -0400
Received: from [192.168.1.68] ([99.121.5.8]) by beta.winserver.com (Wildcat! SMTP v7.0.454.5) with ESMTP id 2900287345.9.622460; Tue, 20 Jun 2017 18:44:08 -0400
Message-ID: <5949A603.5080408@isdg.net>
Date: Tue, 20 Jun 2017 18:47:31 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: dcrup@ietf.org
References: <1642300.47WuTbIWPP@kitterma-e6430> <CABuGu1q66gCCVeurfdV3qF3yvKyL8PbBoW5D94mvNNatVtRT+g@mail.gmail.com>
In-Reply-To: <CABuGu1q66gCCVeurfdV3qF3yvKyL8PbBoW5D94mvNNatVtRT+g@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/5kpDO6CAXifrWvMwsLW8I1-dzsQ>
Subject: Re: [Dcrup] rsa-sha1 proposals
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jun 2017 22:47:45 -0000

On 6/20/2017 3:00 PM, Kurt Andersen wrote:
>
> I'm in favor of moving strongly and clearly to kill sha1, but what
> about moving it out to the registry with a dated "MUST NOT". That
> provides for a deprecation period without the need for further
> intervention. The other advantage is that it provides a stronger
> historical record that people can point to when explaining
> brain-deadness to people who have not updated :-)
> I would suggest a "drop dead" date of something like mid-2018 to allow
> the rest of this work to reach completion.
>

-1.

I'm not going to stop supporting SHA1 and invaliding signatures based 
on a drop dead date. I would prefer a "hint" from the already existing 
overhead DNS lookups being down, i.e. either the key lookup or author 
domain policy.   If the "Author Domain" says "we only do SHA256, then 
that should allow for a supportive verifier to act accordingly.

-- 
HLS

v2.29.0 | Report a Bug | By Email | System Status