Return-Path: <superuser@gmail.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 35B5A129AEA
 for <dcrup@ietfa.amsl.com>; Tue, 13 Jun 2017 20:29:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001]
 autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
 header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id M7Aw4P7Ti-P0 for <dcrup@ietfa.amsl.com>;
 Tue, 13 Jun 2017 20:29:02 -0700 (PDT)
Received: from mail-ua0-x230.google.com (mail-ua0-x230.google.com
 [IPv6:2607:f8b0:400c:c08::230])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id 520F012957B
 for <dcrup@ietf.org>; Tue, 13 Jun 2017 20:29:02 -0700 (PDT)
Received: by mail-ua0-x230.google.com with SMTP id q15so87142816uaa.2
 for <dcrup@ietf.org>; Tue, 13 Jun 2017 20:29:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; 
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=3kF7HqY/S5zy7mX19L95ZlEeL6aqtjf7yLAuWZVzlz0=;
 b=U5UssZr+Nsv7vDYfhtiDM2EHeIUh/jdzcEbSktnOrQ1TUT3sLcl4eLusanpgAl299L
 g/f5mJNUu3BWBgb1LNc4JwcqRfskKW+wbRVmYPAsHWxAomPvmfo9iE4p5tUhz2BewLR9
 VfG4g8pos2c33cMEovFNBY2cL+OR1JEjbEa6cTpXHg9gaeBMXv52SYOquSO55BzX4r35
 NquyFO8rqQa3RHB1HTBYtNMrW3BtwieaD5BEfuvXyQUqLBtkAgQ7WRjGkQ7vU2zgam9C
 ipc3/QbPgySq7qK4YoYvlyf1bGS2S2GKJ3LCTdR+Kuc6NyVv2KKMuL/KzvtiURd32hz2
 Ar/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=3kF7HqY/S5zy7mX19L95ZlEeL6aqtjf7yLAuWZVzlz0=;
 b=Sdr0gQMxp4LCxyHwTyi99gbZI0tobx9zWxvrTp1frzArqw0tkdn5SSCLRM1kgqERXK
 Zs85ExUQzXcstAYKiDwTWVpz8wBGadISea92/04D9CAbm0UZ3w6puLvV3YsCULx42Xd0
 ttd75SiOVWElK8ZS7mguTNtNDvEYffh9rbwy1FUROLCTYC4CaVpr2GRMKOaL623NIzgN
 q+LbHSeLkB9oVs1y9GYO9JxvohiDsZgss/o9K30ngkuWOK7M+jxih+72Soa9IJvcH6Y1
 QT4sI1dz411gzMLGFWVP7bzZX47FQrlBOF7/BOlNuEeHP3YRAb27keA3EhKrL/LlzYug
 bCQA==
X-Gm-Message-State: AKS2vOxaUGAjKb+vtg3FqGqy6UHPRZEsBkjiJkTlN6shZ0A1b1KAI5Uh
 nBjkYcYmxC4wTF9+/u+WFwcUu6bQUNtH5Hc=
X-Received: by 10.159.59.94 with SMTP id j30mr4071178uah.72.1497410941466;
 Tue, 13 Jun 2017 20:29:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.126.6 with HTTP; Tue, 13 Jun 2017 20:29:00 -0700 (PDT)
In-Reply-To: <CAL0qLwbFE5PzpOWzn-DwQ2D0z0=OAtEJLnwBbq2hk2SK2pc4Bg@mail.gmail.com>
References: <m38tkw53bd.fsf@carbon.jhcloos.org>
 <CABa8R6s6rzc+Ky8sLWcK7NtforSksEhNRkWVeF=k1v8GC80knw@mail.gmail.com>
 <m3wp8gpx20.fsf@carbon.jhcloos.org>
 <CAOj=BA2O+Hf2VGOtbmnqY2M5J9u8uJ7wm7SxEW551SXBwDdanw@mail.gmail.com>
 <5bf52517591d4950aec335d31bcf3631@usma1ex-dag1mb1.msg.corp.akamai.com>
 <aa52134a-ac20-bd70-8834-1598a8eaa536@bluepopcorn.net>
 <29B74569-6BB3-43F8-9549-566DA405B1FF@kitterman.com>
 <CAL0qLwaqPwb+cNhRCWLBp2qjTWtS65JAvstc9GfrhDDXRv+d6w@mail.gmail.com>
 <57fda1d5-b0b7-f226-60db-7f4c47233fc7@bluepopcorn.net>
 <CAL0qLwbFE5PzpOWzn-DwQ2D0z0=OAtEJLnwBbq2hk2SK2pc4Bg@mail.gmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Tue, 13 Jun 2017 20:29:00 -0700
Message-ID: <CAL0qLwY5=YuXt+9Hf5yRYJfkJe3i5+kvPGPi90jNdfq4GJdukg@mail.gmail.com>
To: Jim Fenton <fenton@bluepopcorn.net>
Cc: dcrup@ietf.org
Content-Type: multipart/alternative; boundary="f403043ed9e83fbee10551e3279a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/bd_Tm0o0ctDBXpP696cTGVSA3Lg>
Subject: Re: [Dcrup] rsa-sha1 usage
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>,
 <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>,
 <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jun 2017 03:29:04 -0000

--f403043ed9e83fbee10551e3279a
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Tue, Jun 13, 2017 at 8:16 PM, Murray S. Kucherawy <superuser@gmail.com>
wrote:

> On Tue, Jun 13, 2017 at 6:55 PM, Jim Fenton <fenton@bluepopcorn.net>
> wrote:
>
> That being the case, why do we think people will pay attention to a MUST
>> NOT today?
>>
>>
>> Because implementations will stop supporting rsa-sha1, forcing the issue
>> for any who upgrade. I'm all for having them stop supporting signing wit=
h
>> rsa-sha1, but they should continue to support verification for a while.
>>
>
> We can't have this logic both ways.  Scott claimed nobody pays attention
> to the advice in RFCs ("Operational practice=E2=80=8B isn't closely coupl=
ed with
> standards changes").  If that's true, then there's no meat to a MUST NOT
> anyway, and it really only matters what people will implement.  And if
> that's true, then saying current implementations neither sign with nor
> verify "rsa-sha1" because it's deprecated suffices, and we're done.
>

As Pete Resnick loves to point out, RFC prose can be normative without
using RFC2119 words.

The text of RFC2119 counsels against unnecessary use of the words it
defines.  It also contains this language: "...actually required for
interoperation" (which use of rsa-sha1 clearly does not impede) "or to
limit behavior which has potential for causing harm".  I suppose this
latter is the key issue.

Still, I don't find it necessary or appropriate with respect to deprecating
rsa-sha1, for reasons previously given.

-MSK

--f403043ed9e83fbee10551e3279a
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">On Tue, Jun 13, 2017 at 8:16 PM, Murray S. Kucherawy <span=
 dir=3D"ltr">&lt;<a href=3D"mailto:superuser@gmail.com" target=3D"_blank">s=
uperuser@gmail.com</a>&gt;</span> wrote:<br><div class=3D"gmail_extra"><div=
 class=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=3D"margin:0p=
x 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><d=
iv dir=3D"ltr"><span class=3D"gmail-">On Tue, Jun 13, 2017 at 6:55 PM, Jim =
Fenton <span dir=3D"ltr">&lt;<a href=3D"mailto:fenton@bluepopcorn.net" targ=
et=3D"_blank">fenton@bluepopcorn.net</a>&gt;</span> wrote:<span class=3D"gm=
ail-m_-6145878638703474686gmail-"></span><span class=3D"gmail-m_-6145878638=
703474686gmail-"></span><br class=3D"gmail-m_-6145878638703474686gmail-m_79=
41309515915358628Apple-interchange-newline"><span class=3D"gmail-m_-6145878=
638703474686gmail-">
    </span></span><div class=3D"gmail_extra"><br><div class=3D"gmail_quote"=
><span class=3D"gmail-"><blockquote class=3D"gmail_quote" style=3D"margin:0=
px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><=
div bgcolor=3D"#FFFFFF"><span class=3D"gmail-m_-6145878638703474686gmail-">=
<blockquote type=3D"cite">
      <div dir=3D"ltr">
        <div class=3D"gmail_extra">
          <div class=3D"gmail_quote">
            <div>That being the case, why do we think people will pay
              attention to a MUST NOT today?<br>
           =20
          </div></div>
        </div>
      </div>
    </blockquote>
    <br></span>
    Because implementations will stop supporting rsa-sha1, forcing the
    issue for any who upgrade. I&#39;m all for having them stop supporting
    signing with rsa-sha1, but they should continue to support
    verification for a while.</div></blockquote><div><br></div></span><div>=
We can&#39;t have this logic both ways.=C2=A0 Scott claimed nobody pays att=
ention to the advice in RFCs (&quot;Operational practice=E2=80=8B isn&#39;t=
 closely coupled with standards changes&quot;).=C2=A0 If that&#39;s true, t=
hen there&#39;s no meat to a MUST NOT anyway, and it really only matters wh=
at people will implement.=C2=A0 And if that&#39;s true, then saying current=
 implementations neither sign with nor verify &quot;rsa-sha1&quot; because =
it&#39;s deprecated suffices, and we&#39;re done.<span class=3D"gmail-HOEnZ=
b"></span></div></div></div></div></blockquote><div><br></div><div>As Pete =
Resnick loves to point out, RFC prose can be normative without using RFC211=
9 words.<br><br>The text of RFC2119 counsels against unnecessary use of the=
 words it defines.=C2=A0 It also contains this language: &quot;...actually =
required for interoperation&quot; (which use of rsa-sha1 clearly does not i=
mpede) &quot;or to limit behavior which has potential for causing harm&quot=
;.=C2=A0 I suppose this latter is the key issue.<br><br></div><div>Still, I=
 don&#39;t find it necessary or appropriate with respect to deprecating rsa=
-sha1, for reasons previously given.<br></div><div><br>-MSK<br></div></div>=
</div></div>

--f403043ed9e83fbee10551e3279a--