Re: [Dcrup] Time For People To Really Stop Using SHA-1 Signatures?

"Salz, Rich" <rsalz@akamai.com> Tue, 14 January 2020 16:27 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 605CE12096F for <dcrup@ietfa.amsl.com>; Tue, 14 Jan 2020 08:27:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0QHGe3RbMtpl for <dcrup@ietfa.amsl.com>; Tue, 14 Jan 2020 08:27:11 -0800 (PST)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBA80120971 for <dcrup@ietf.org>; Tue, 14 Jan 2020 08:27:11 -0800 (PST)
Received: from pps.filterd (m0050102.ppops.net [127.0.0.1]) by m0050102.ppops.net-00190b01. (8.16.0.42/8.16.0.42) with SMTP id 00EGNkhK031255; Tue, 14 Jan 2020 16:27:10 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=M5juOxNPXlKyiB5sKNhOXHPKrAOCX7RSP9wrRwwqn8o=; b=J9AomwYhNSykRNc4Xj61NaCqATGyNmnUkLzqO5IIn3RKs5aLK5NV0aHPrzrzKVNZFWCV 5UxRf63rASGLkqbWQbUCLCLoRQAAwCnXG5iaeGWJwkAQs8cYVLEospl4GjTbjE/BiCJv D2uJEZYfuciRESNiVtXSp52O0ewiseCLbB/d01orbJ2H0z2wkuxcfl3C7QfEaLLZ1zwW AliuiJU8jrLYmrOvcD8+wYhDSxHifpWCi+qu+7VJ+3hBp4rMx7RQV6rnoTlDt1gO5Wp3 H+nB93EwvkEy8kiVHCJe6Mpxh52JDuZE1guOlK+w+JEbGk6xaJTQgjF8nV9PoHAfSpu/ ew==
Received: from prod-mail-ppoint7 (prod-mail-ppoint7.akamai.com [96.6.114.121] (may be forged)) by m0050102.ppops.net-00190b01. with ESMTP id 2xf74k4nqr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 14 Jan 2020 16:27:10 +0000
Received: from pps.filterd (prod-mail-ppoint7.akamai.com [127.0.0.1]) by prod-mail-ppoint7.akamai.com (8.16.0.27/8.16.0.27) with SMTP id 00EGH5XI022379; Tue, 14 Jan 2020 11:27:09 -0500
Received: from email.msg.corp.akamai.com ([172.27.123.53]) by prod-mail-ppoint7.akamai.com with ESMTP id 2xfak4vv45-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 14 Jan 2020 11:27:05 -0500
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com (172.27.123.105) by usma1ex-dag3mb5.msg.corp.akamai.com (172.27.123.55) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 14 Jan 2020 11:26:57 -0500
Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com (172.27.123.103) by usma1ex-dag1mb5.msg.corp.akamai.com (172.27.123.105) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 14 Jan 2020 11:26:57 -0500
Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com ([172.27.123.103]) by usma1ex-dag1mb3.msg.corp.akamai.com ([172.27.123.103]) with mapi id 15.00.1473.005; Tue, 14 Jan 2020 11:26:56 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: "dcrup@ietf.org" <dcrup@ietf.org>, "hsantos@isdg.net" <hsantos@isdg.net>
Thread-Topic: [Dcrup] Time For People To Really Stop Using SHA-1 Signatures?
Thread-Index: AQHVxbQLbHlVLrXFPk+NAxk5n8Hn1Kfk8q8AgAWn4QCAAAHpAP//xv4A
Date: Tue, 14 Jan 2020 16:26:56 +0000
Message-ID: <F80DADAA-95C4-4D0F-9435-FF7C82263A1A@akamai.com>
References: <1836468.B6t98xBJ9D@l5580> <9c3b08b1-909c-197c-2c7a-1c7eff660202@bluepopcorn.net> <5E1DD3B8.5030507@isdg.net> <2930903.4jkiU04MHV@l5580>
In-Reply-To: <2930903.4jkiU04MHV@l5580>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.21.0.200104
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.117.13]
Content-Type: text/plain; charset="utf-8"
Content-ID: <EC8AFFE0BBA5264DBDAF78080F234517@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2020-01-14_04:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001 definitions=main-2001140137
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.572 definitions=2020-01-14_04:2020-01-14, 2020-01-14 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 mlxlogscore=999 spamscore=0 impostorscore=0 lowpriorityscore=0 malwarescore=0 clxscore=1011 priorityscore=1501 phishscore=0 mlxscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-2001140137
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/Ax9DPlF_f3StKFAsbTaQgJVBbsw>
Subject: Re: [Dcrup] Time For People To Really Stop Using SHA-1 Signatures?
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2020 16:27:19 -0000

As I recall, we had extended discussion about MUST NOT SHA1 and Hector was the only one opposed to dropping SHA1.  We also discussed changing the version number because of changing the  crypto, and while there were a couple of people who were sympathetic to the view, this was not done.

>    I know you know this, so please stop pretending it's not true.

Hector, I do not know what you actually know, but please keep this reminder, and Scott's in mind.  Repeating "sha1 is still in the standard" is wrong.  And if you forgot, now you know.  Please stop, you are hurting the Internet (and those who read mail archives to see what's going on).

	/r$, co-chair.