Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BE5B12948B for ; Tue, 13 Jun 2017 20:35:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.002 X-Spam-Level: X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kitterman.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bI6wUKFvacVn for ; Tue, 13 Jun 2017 20:35:48 -0700 (PDT) Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A53AA12946C for ; Tue, 13 Jun 2017 20:35:48 -0700 (PDT) Received: from android-df929938bd25e485.home.kitterman.com (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id CCBBAC40593; Tue, 13 Jun 2017 22:35:46 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=201409; t=1497411346; bh=/12iL8mdNFrzXhsZ+cngrtrUKoD1zbGiQj8LHRTZUUQ=; h=Date:In-Reply-To:References:Subject:To:From:From; b=SSdwBG7cgJfU0IALXP8ggILxfh2FmNrZeaE48t0ex7jzsWGn77nIaI03xI+Hr5Kke gjQHEplE6hZGDr2sroTgyKnAgnB1keslp2MUFfD5QGNkpYhYK2emIvA+K0yqKyP6jn CzTh9RX/YHJ8XxHQtaNqt5dMQ1sxgQYGPqkPYgKY= Date: Wed, 14 Jun 2017 03:35:35 +0000 In-Reply-To: References: <5bf52517591d4950aec335d31bcf3631@usma1ex-dag1mb1.msg.corp.akamai.com> <29B74569-6BB3-43F8-9549-566DA405B1FF@kitterman.com> <57fda1d5-b0b7-f226-60db-7f4c47233fc7@bluepopcorn.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable To: dcrup@ietf.org From: Scott Kitterman Message-ID: <182B1730-A277-4E7F-ACFF-F51E766173BB@kitterman.com> Archived-At: Subject: Re: [Dcrup] rsa-sha1 usage X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jun 2017 03:35:50 -0000 On June 13, 2017 11:16:11 PM EDT, "Murray S=2E Kucherawy" wrote: >On Tue, Jun 13, 2017 at 6:55 PM, Jim Fenton >wrote: > >> That being the case, why do we think people will pay attention to a >MUST >> NOT today? >> >> >> Because implementations will stop supporting rsa-sha1, forcing the >issue >> for any who upgrade=2E I'm all for having them stop supporting signing >with >> rsa-sha1, but they should continue to support verification for a >while=2E >> > >We can't have this logic both ways=2E Scott claimed nobody pays >attention to >the advice in RFCs ("Operational practice=E2=80=8B isn't closely coupled = with >standards changes")=2E If that's true, then there's no meat to a MUST >NOT >anyway, and it really only matters what people will implement=2E And if >that's true, then saying current implementations neither sign with nor >verify "rsa-sha1" because it's deprecated suffices, and we're done=2E What I should have said is sometimes standards lead and sometimes they fol= low=2E Bumping up the minimum RSA key size is the standards community catc= hing up to what the operational community did half a decade ago=2E OTOH, I= think rsa-sha1 usage will decline once there is strong MUST NOT guidance p= ublished=2E Not immediately, but considering the mail system development, = deployment, upgrade life cycle it's much better to give things a good push = in that direction now, before its time to panic=2E=2E Scott K