IETF Logo Mail Archive

Re: [Dcrup] rsa-sha1 usage

"Murray S. Kucherawy" <superuser@gmail.com> Wed, 14 June 2017 12:34 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89F6212EBDF for <dcrup@ietfa.amsl.com>; Wed, 14 Jun 2017 05:34:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7JRG9qHgwGgt for <dcrup@ietfa.amsl.com>; Wed, 14 Jun 2017 05:34:43 -0700 (PDT)
Received: from mail-vk0-x229.google.com (mail-vk0-x229.google.com [IPv6:2607:f8b0:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DDA912E04F for <dcrup@ietf.org>; Wed, 14 Jun 2017 05:34:43 -0700 (PDT)
Received: by mail-vk0-x229.google.com with SMTP id y70so41579246vky.3 for <dcrup@ietf.org>; Wed, 14 Jun 2017 05:34:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=T/BGRHJuG6BP3NpAPZ1Z8uv4xpitpndg1QphPIowrk0=; b=eJVxEuI2EPgIgyXW2S1R6HOM9dbC95zHQjLkB/xz0mj063s6NAUmIehEBW1Z1brJ8t yO5dZBK1i1gLWohdC88gjVTcJTwLKy/QcetE8BbAg4+Jr+xxv9GbScYfhealFDrRWLjc 2Iw9NcdBwp6IhlMF27a3rBL7MSrk8K6RLfetGEjd2iZWc7uM22yLQ87As1t9gHn9Jx6e oNnp1fSG+3D8CtOXipbvQTnbYqjSxw2EkKnt3QUI2P7UNM6mPRJhSgN2OAOpBiGKRF/N sv6DOZf9QCUPh1M9kZrsOioNjW1UVDGneRqCO83KrpXlnY/HioGpxhkp35/+di8AiKj+ 48Mw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=T/BGRHJuG6BP3NpAPZ1Z8uv4xpitpndg1QphPIowrk0=; b=bwQmz76aBg2xyfGsaRw0StX/xE/+5CkwSBR4R2EfyUOzpAWRtF6rTea1A1Qz2P2Lle 5mUqdcFfvK1EsvlXY1kidu0yGwo10QfWB2j6DG65zgh3MjqTap/uFd7SsIjmh+kO1ZnP Ia5c6/m3YqANomipgjShwZ302H+LSBeRaMpmBfmNXirlfrkNKi/q0fzydRrFVGIM9SZ2 MVf6ba2aB6GrsMd9nXUeDJRyvrfOobXm1iu4qL0L3d+GlwzJOO18iyCWxHL0bznspR79 ToDepJUs+QplsxJtY1tYQdNT9QEcHKM4/FVcwuyS/Tjrj/xB7YVVl8ERjcPqO1osrYtv /wRg==
X-Gm-Message-State: AKS2vOzgdlrjizfr/7eAgjyh+GGAYehbmbsheEe5xeRmOglh1Q0aoAz8 3CfwD66H0xsn6+u2HFWND/GWWWF6wzeR
X-Received: by 10.31.2.204 with SMTP id 195mr205287vkc.65.1497443682590; Wed, 14 Jun 2017 05:34:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.126.6 with HTTP; Wed, 14 Jun 2017 05:34:41 -0700 (PDT)
In-Reply-To: <CAOZAAfPKvChF7wmsZ6mhsJ6VaArJ2AC+CqM1voY_RbHJ6WGr5Q@mail.gmail.com>
References: <m38tkw53bd.fsf@carbon.jhcloos.org> <CABa8R6s6rzc+Ky8sLWcK7NtforSksEhNRkWVeF=k1v8GC80knw@mail.gmail.com> <m3wp8gpx20.fsf@carbon.jhcloos.org> <CAOj=BA2O+Hf2VGOtbmnqY2M5J9u8uJ7wm7SxEW551SXBwDdanw@mail.gmail.com> <5bf52517591d4950aec335d31bcf3631@usma1ex-dag1mb1.msg.corp.akamai.com> <aa52134a-ac20-bd70-8834-1598a8eaa536@bluepopcorn.net> <29B74569-6BB3-43F8-9549-566DA405B1FF@kitterman.com> <CAL0qLwaqPwb+cNhRCWLBp2qjTWtS65JAvstc9GfrhDDXRv+d6w@mail.gmail.com> <57fda1d5-b0b7-f226-60db-7f4c47233fc7@bluepopcorn.net> <CAL0qLwbFE5PzpOWzn-DwQ2D0z0=OAtEJLnwBbq2hk2SK2pc4Bg@mail.gmail.com> <87dfdc8c-5acc-e51e-a6d3-1e35611419b7@bluepopcorn.net> <BFDFAA4E-F253-497A-9881-D2223B45037A@kitterman.com> <CAMm+LwiPpPXbebhuKguRGzjtOMXv-=t9vS951R2nLSbjj+167Q@mail.gmail.com> <CAOZAAfPKvChF7wmsZ6mhsJ6VaArJ2AC+CqM1voY_RbHJ6WGr5Q@mail.gmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Wed, 14 Jun 2017 05:34:41 -0700
Message-ID: <CAL0qLwa1yTRDPp33vf2vR3ozcxgSeAyrsZKsPZ90TPm3eXgrFA@mail.gmail.com>
To: Seth Blank <seth@valimail.com>
Cc: dcrup@ietf.org
Content-Type: multipart/alternative; boundary="001a113da7f4c5b0dc0551eac610"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/nJOWCXVoHsadki6KLTi12jrKwJ0>
Subject: Re: [Dcrup] rsa-sha1 usage
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jun 2017 12:34:45 -0000

On Wed, Jun 14, 2017 at 3:02 AM, Seth Blank <seth@valimail.com> wrote:

> On Wed, Jun 14, 2017 at 5:24 AM, Phillip Hallam-Baker <
> phill@hallambaker.com> wrote:
>>
>> It is a two step process in my view. First you rip out the generate,
>> then once the transition is complete, you rip out the accept.
>>
>
> I disagree. SHA-1 has been deprecated for far too long, but is still in
> wide use by major players. I'd argue step 1 was taken ages ago (with a
> SHOULD, not a MUST, but still...) and we're at step 2 *now* because senders
> aren't complying with up-to-date crypto standards on their own.
> [...]
>

I think that's an interesting perspective, specifically that step 1 was
taken a while ago, and I agree.  What we're discussing is the right way to
"rip out the accept".

I don't believe that either actor will be compelled to do anything more by
"MUST NOT" than by simply "We don't use that anymore because $REASONS."
I've been a medium-sized receiver before, and I work for a large sender
now.  If I decide I'm going to comply with the update, either prose is
compelling to me.  Am I exceptional in that regard?  Maybe I'm atypical
because I'm an IETF participant, but to me the general issue here plain old
operational inertia rather than the absence of an RFC telling them what to
do.

If a receiver says "update within 90 days or else", it will happen no
matter what the text says.  It could happen today even without us
publishing anything at all.  I would even posit that it's more likely for
M3AAWG to trigger that action than the IETF.

Please note that I'm not only being sticky on this point because I think
it's wrong.  Unnecessary use of RFC2119 language is a topic that's come up
with nearly every email-related standards track RFC where I've been a
contributor and has resulted in DISCUSSes during IESG Evaluation.  I'm
hoping to head off some of that back-and-forth later by getting it sorted
out now.

-MSK

v2.29.0 | Report a Bug | By Email | System Status