Re: [Dcrup] Time For People To Really Stop Using SHA-1 Signatures?

[Hector Santos <hsantos@isdg.net>]

On 1/14/2020 11:26 AM, Salz, Rich wrote:
> As I recall, we had extended discussion about MUST NOT SHA1 and Hector was the only one opposed to dropping SHA1.  We also discussed changing the version number because of changing the  crypto, and while there were a couple of people who were sympathetic to the view, this was not done.
>
>>     I know you know this, so please stop pretending it's not true.
>
> Hector, I do not know what you actually know, but please keep this reminder, and Scott's in mind.  Repeating "sha1 is still in the standard" is wrong.  And if you forgot, now you know.  Please stop, you are hurting the Internet (and those who read mail archives to see what's going on).
>
> 	/r$, co-chair.


I am not "hurting the internet.  You would be "hurting the internet" 
if you promoted the idea of pulling SHA1 from the tool set because you 
would be causing immediate fails where as today, there is no failure.

And BTW, I was practically the only one who was advocating DKIM Policy 
since the beginning. It was a lonely world, trust me,  and since I was 
the practically the only one, ADSP was abandoned only to be replaced 
with the same issue and problems, and its not even a proposed standard 
and look at the potential replay problems will can have with Rewrites. 
  Today how much DKIM POLICY has grown and I always felt it would 
grow.  So I don't buy "I am the only one." I may be the only one to 
dare speak up.

So please don't get mad at me. my engineering and security position 
was clear than and it is clear now.  It would be a mistake for SHA1 to 
be pulled from APIs and Tools. If you do it with OpenSSL, since you 
privy to the team,  I think it would be YOU who would be hurting 
implementers, developers, products vendors, customers and the INTERNET.


-- 
HLS