[DNSOP] RFC 2845bis and HMAC-MD5

Martin Hoffmann <martin@opennetlabs.com> Thu, 14 March 2019 14:53 UTC

Return-Path: <martin@opennetlabs.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 041EF12D4F0 for <dnsop@ietfa.amsl.com>; Thu, 14 Mar 2019 07:53:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id WAqj77oiPoS9 for <dnsop@ietfa.amsl.com>; Thu, 14 Mar 2019 07:53:28 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE09F129BBF for <dnsop@ietf.org>; Thu, 14 Mar 2019 07:53:26 -0700 (PDT)
Received: from glaurung.nlnetlabs.nl (unknown [IPv6:2a04:b900:0:1:a2c5:89ff:feb5:e311]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 812331C5A5 for <dnsop@ietf.org>; Thu, 14 Mar 2019 15:53:24 +0100 (CET)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none (p=none dis=none) header.from=opennetlabs.com
Authentication-Results: dicht.nlnetlabs.nl; spf=none smtp.mailfrom=martin@opennetlabs.com
Date: Thu, 14 Mar 2019 15:53:24 +0100
From: Martin Hoffmann <martin@opennetlabs.com>
To: dnsop@ietf.org
Message-ID: <20190314155324.4841ce29@glaurung.nlnetlabs.nl>
Organization: Open Netlabs
X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/PxKECTWvTT89SGIsZyrBDhGYeWA>
Subject: [DNSOP] RFC 2845bis and HMAC-MD5
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2019 14:53:30 -0000


when looking over draft-ietf-dnsop-rfc2845bis I was hoping that it
would relax the mandatory requirement for HMAC-MD5, but no such luck.

Given that most protocols have either made MD5 optional or banned it
outright, some modern crypto libraries have decided to drop it from
their supported algorithms. It seems to me that forcing new code to
include dependencies for MD5 is unnecessary.

As such, I would like to propose to move HMAC-MD5 to optional and only
retain SHA-1 and SHA-256 as mandatory.

Kind regards,