IETF Logo Mail Archive

Re: [Dcrup] rsa-sha1 proposals

Seth Blank <seth@valimail.com> Tue, 20 June 2017 16:19 UTC

Return-Path: <seth@valimail.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8124D131526 for <dcrup@ietfa.amsl.com>; Tue, 20 Jun 2017 09:19:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9qVNq62a4Wyo for <dcrup@ietfa.amsl.com>; Tue, 20 Jun 2017 09:19:18 -0700 (PDT)
Received: from mail-qt0-x234.google.com (mail-qt0-x234.google.com [IPv6:2607:f8b0:400d:c0d::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A18B128C83 for <dcrup@ietf.org>; Tue, 20 Jun 2017 09:19:18 -0700 (PDT)
Received: by mail-qt0-x234.google.com with SMTP id u12so137536956qth.0 for <dcrup@ietf.org>; Tue, 20 Jun 2017 09:19:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=aI52nlbq3FOqYfkrPNSGBTezvisVktuuD97fq2dtvqA=; b=O3xWVC7a2iXOI8WWg5hOiSvmyL1nHh+6bgrKlu5FKdAHm8kt+Q+s++N8vqDgD5DZDR 9m252tsptIhIiTyB3OEGcOqZDJ8Pb+l119xU4SDTvfdelvNT6FQRXW0K2vsl92qQrCyC mUO97KBaq0AHCh+J2Yz3GdbPMP+BhfMDOteKACpv92B/EU0wMgJHtpp6AuWA+EOxNO1K yieKh3mwzE6p9VNKxMscc1o5+i3tV62MWKvom0jNhD1QnxoPFFbSc/DjY7lXoNzUgFHx YTlz2hDB4ONeE3VM2VJMTWFssZJdSROAwvF+UPr148AGe1mDeOcSsVK3Jz0oGjIT/Gab +QaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=aI52nlbq3FOqYfkrPNSGBTezvisVktuuD97fq2dtvqA=; b=M39culL/SIvMsdnbYv474Iza1kZQxG8uP5u0YGRBOZsgT9ywuc+M8CJnpDKF64HAZK L9pqiMGut/Bnvr0woIZoTye55VvVMzD8Akyar/ToWEkPDgV44yfB/InTBJdvuJfzOrtQ jp06tGh6FTeP/oPG/iafHYyZcd0AmeIQqnUTxlH726mGBiKXZEwdibZUIyCZk9Ra64Ms CjniB8YHIL+5qyPrIPJ8N1QXDe+7foUXB66c/Efq7J0M3sfkHKSeSJc+H6pykg8o9lY9 kykyAQCpYOQ6vt7KI6yICCzIqd066i+lOeE9yJb8zda8032+kRZB34LmXn6j9TiRGQoO cilg==
X-Gm-Message-State: AKS2vOzJs3SjWxlKYV4DLHYe+JyhWTQwq9wgxjqJeEW/zuhWso5Kgtqz /d9HWRQYR/WPmHE4I40MLBss1H83VemLSPg=
X-Received: by 10.237.45.103 with SMTP id h94mr35878491qtd.204.1497975557068; Tue, 20 Jun 2017 09:19:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.200.43.27 with HTTP; Tue, 20 Jun 2017 09:18:56 -0700 (PDT)
In-Reply-To: <1642300.47WuTbIWPP@kitterma-e6430>
References: <1642300.47WuTbIWPP@kitterma-e6430>
From: Seth Blank <seth@valimail.com>
Date: Tue, 20 Jun 2017 09:18:56 -0700
Message-ID: <CAOZAAfPvDDuTW6cC6ZQqN7zxDEvVn8=Lp_8jCveigE5zT8gDmA@mail.gmail.com>
To: "dcrup@ietf.org" <dcrup@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c124a6ef6316b0552669c61"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/ABLMqhH2XeQVgqO7zIVqI2yrqas>
Subject: Re: [Dcrup] rsa-sha1 proposals
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jun 2017 16:19:20 -0000

On Tue, Jun 20, 2017 at 8:39 AM, Scott Kitterman <sklist@kitterman.com>
wrote:

> Remove rsa-sha1:
> This option eliminates (to the extent it is adopted) the potential of
> security
> risks with rsa-sha1.  If a relevant issue with rsa-sha1 is made public,
> there
> will be no further standards work that needs to be done.  This option also
> keeps the number of algorithms at two, eliminating the additional
> complexity
> associated with having more algorithms to sort through in implementation.
> While this might be considered somewhat abrupt, rsa-sha1 signing has been
> effectively SHOULD NOT for a decade.  Maybe this will create some momentum
> for
> operators to move off of it.
>
> It is abrupt to remove something without a formal deprecation period.
>

I strongly vote to remove SHA1 as proposed here; I do not believe any other
approach will incentivize senders or receivers to make the change.

I do not believe this qualifies as an "abrupt" deprecation, as you said, it
has been SHOULD NOT for over a decade.



> Thoughts?
>
> Scott K
>
>
> _______________________________________________
> Dcrup mailing list
> Dcrup@ietf.org
> https://www.ietf.org/mailman/listinfo/dcrup
>

v2.30.2 | Report a Bug | By Email | System Status