IETF Logo Mail Archive

Re: [Dcrup] rsa-sha1 usage

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 14 June 2017 02:11 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 419461274D0 for <dcrup@ietfa.amsl.com>; Tue, 13 Jun 2017 19:11:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bff78ssLeNsF for <dcrup@ietfa.amsl.com>; Tue, 13 Jun 2017 19:11:36 -0700 (PDT)
Received: from mail-oi0-x243.google.com (mail-oi0-x243.google.com [IPv6:2607:f8b0:4003:c06::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBAF81275AB for <dcrup@ietf.org>; Tue, 13 Jun 2017 19:11:35 -0700 (PDT)
Received: by mail-oi0-x243.google.com with SMTP id k145so11628356oih.0 for <dcrup@ietf.org>; Tue, 13 Jun 2017 19:11:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=fnnggE0NDB/DBjdIlNHOomtInqYDWbkg/eze497fDMM=; b=tTbtI8ijHzFf6GHzK0rp2xw0eC3ru2NOd+JR5gmZRLQ8/qQX9zPtiRNnmHPAR/6rll WOysK3QxWAoUE84dsg8jjNS5ZxNCcwMd6tV4cjTuYLdpuBLOrTBtVMyV03+Zwf4kLZ4Z 3Y9QirW/wQlQSqbMw4uahSpKqv+xeNL6VIOQiS4X3/2cc8vj3+duRO/Yj8k2go53hj+2 8ZCjjmjskwBGmlrjMrji/jSPKFOYb/uVc4/H5u789eaW+VHr4uRG2643hy8gPS8rIVLe 0oe9F1BS6KazA+CX1N4Z1p7E5aifNn7PNwXV536eJLHMIR2zo003rXMDNLaXMsiP/uOl E+7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=fnnggE0NDB/DBjdIlNHOomtInqYDWbkg/eze497fDMM=; b=sjYsszwyxUlkzC4XXGuqFPFrcvx6eDCl5Bp5S4rF+9hTtt/5mneJgAjxJiuQSb8Hwq QKbbl1pr92W278bhpHZyQt2q+vKvQV0biX/vxv44z99pguwV5vvdVUL8a8luTdgWZHf3 bz1bAG9G/vs48zUUXkDVtwaA8zlNc2OXYgSs8xppWea6fQ505P+eRABw7/xEA2yz+bqX 0zYl2eZ5KgGeY9rBy/tp7TFp3/4YjiujyhNxcutK3ar0LOAFzcNStWPmCvxEbRCwSl+C 6ONjiFk8rwHkm/KoRWa3Z+BonEdhvTYx/Ok4L9Z5CohyHd+1Ia4k375MKMHB5p5R5xH1 15aw==
X-Gm-Message-State: AKS2vOxX/z321aB5XrL+OSPYWNxVYFkpS4rv2N3DqtXwh+f9UFxUu+a1 5Sjo4A5BLdgBKVEPq2sT3IsatHGywA==
X-Received: by 10.202.212.73 with SMTP id l70mr1965387oig.4.1497406295150; Tue, 13 Jun 2017 19:11:35 -0700 (PDT)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.157.23.5 with HTTP; Tue, 13 Jun 2017 19:11:34 -0700 (PDT)
In-Reply-To: <CAL0qLwaqPwb+cNhRCWLBp2qjTWtS65JAvstc9GfrhDDXRv+d6w@mail.gmail.com>
References: <m38tkw53bd.fsf@carbon.jhcloos.org> <CABa8R6s6rzc+Ky8sLWcK7NtforSksEhNRkWVeF=k1v8GC80knw@mail.gmail.com> <m3wp8gpx20.fsf@carbon.jhcloos.org> <CAOj=BA2O+Hf2VGOtbmnqY2M5J9u8uJ7wm7SxEW551SXBwDdanw@mail.gmail.com> <5bf52517591d4950aec335d31bcf3631@usma1ex-dag1mb1.msg.corp.akamai.com> <aa52134a-ac20-bd70-8834-1598a8eaa536@bluepopcorn.net> <29B74569-6BB3-43F8-9549-566DA405B1FF@kitterman.com> <CAL0qLwaqPwb+cNhRCWLBp2qjTWtS65JAvstc9GfrhDDXRv+d6w@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Tue, 13 Jun 2017 22:11:34 -0400
X-Google-Sender-Auth: rrHn1KFlpg8CIbo0WChl4CQS5QE
Message-ID: <CAMm+LwhZpbKbDvQtUbuvcCKdUjrW9iYYE7w7ke2OuQ_tAmf3mg@mail.gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: Scott Kitterman <sklist@kitterman.com>, dcrup@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/7qqlMFp1b8fBsRYzC8llhsqeRiQ>
Subject: Re: [Dcrup] rsa-sha1 usage
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jun 2017 02:11:37 -0000

On Tue, Jun 13, 2017 at 9:40 PM, Murray S. Kucherawy
<superuser@gmail.com> wrote:
> On Tue, Jun 13, 2017 at 8:43 AM, Scott Kitterman <sklist@kitterman.com>
> wrote:
>>
>> I think your proposed remedy is too mild though.  Given the degree to
>> which the SHOULD NOT sign rsa-sha1 has been ignored for the last decade, I
>> don't believe anything other than MUST NOT sign/MUST NOT verify rsa-sha1 is
>> very useful.
>
>
> That being the case, why do we think people will pay attention to a MUST NOT
> today?

MUST NOT sign is perfectly viable and proper and will be followed by
anything that has the right to call itself compliant with the new
spec.

MUST NOT verify is not supported by the state of the crypto and is
guaranteed to be ignored. It is an utterly illogical criteria since
there is no requirement to sign at all.

v2.29.0 | Report a Bug | By Email | System Status