IETF Logo Mail Archive

Re: [DNSOP] [secdir] Secdir review of draft-ietf-dnsop-rfc2845bis-06

Warren Kumari <warren@kumari.net> Thu, 06 February 2020 15:25 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BC011208F1 for <dnsop@ietfa.amsl.com>; Thu, 6 Feb 2020 07:25:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SpxVlfppU3vz for <dnsop@ietfa.amsl.com>; Thu, 6 Feb 2020 07:25:25 -0800 (PST)
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C02C11208F3 for <dnsop@ietf.org>; Thu, 6 Feb 2020 07:25:24 -0800 (PST)
Received: by mail-qk1-x72c.google.com with SMTP id n184so1099903qkn.1 for <dnsop@ietf.org>; Thu, 06 Feb 2020 07:25:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XsxpZvd9nD5xZb1FOOQqx4bt6T1uvJHwQmfEf9PKrpk=; b=JWrNvaEOJf24Pu9ufc0MyAs02GdvrU+smT0aAdywOqYW/kUN1ru4IaGqwM9r4AJWEI sha3u9y6itThxASZTyhnfN38bXFGTQba+KmHYTgZcLgUtJswTmI9C8IQsLp4hGulUk5G OBZ8A9anmppEC7Fhld8fFnr1Y7aMpDXSiWLjBdoC6Yxd/bMmF6Aqhx2Z6+Ahh6Whbx6J LNzxSXXljYEiyu4tD1BFubDYtJ8n0QRBlCxjkbbq2svko8orLOWPwNl6VKqCquWoLLOJ 8jIl2H55yP6JTvmoqaXKDzyKiR5FnDWi9O0mTDH5wbdDuh7/XvZhNnlnHnXlDcfuq+84 Xp+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XsxpZvd9nD5xZb1FOOQqx4bt6T1uvJHwQmfEf9PKrpk=; b=i7t5DUPmQcfvJ7oFQtepq0qo1PDWPgUboTrMspUC2tsByVzPgSTeNgEwEvMdSo+Ogt U9/K+3JwhIN4R41RZhB9PpmEQY1AahoIBIhBYn3h/SFqC1SzMRs4RLrKnsQez66ZoAdF 5Lfx+wRhVkV4zG3sOcjMkJh2Ev4/NXV63+Izx6clouuKcLYCrjF8k8Rr8tUqlaQkpC/I AUc3JRbbN/esMkstdJIIltljreWSq+XYHWls0i755tfDeC+p24FXOnTW206FhJ5z5QlD slFvq+VQ0bKqi0z6M4zFif1ntzcyEQbcNg7KnaS4bo8f3OaSHEgyI/iUpwUWbdsIY9gz BsEA==
X-Gm-Message-State: APjAAAWQWfA/lZuPQU81CQnFVYpPWc5pMk3lMfa8njm2pilBRnm8OWuf PGy7nKZ6xvUmruEuZAyYgnqWjXfXf+fsfPl0tEhZsWlq
X-Google-Smtp-Source: APXvYqyLogr3PX8f2m+KP4PwjUWjfu7kmh45Ox3hYRuf3XEsy83e8zuijfksv21lufnQZxm30hx8EsDWBzR8B7pK3kw=
X-Received: by 2002:a05:620a:15dc:: with SMTP id o28mr3001017qkm.106.1581002723558; Thu, 06 Feb 2020 07:25:23 -0800 (PST)
MIME-Version: 1.0
References: <CADajj4ZQnWkjKdWpBgsB0oyX8_Kzj6HOL-Vkm=TrByBQMEJfPw@mail.gmail.com> <CADajj4bCTF5EeF6DZkCHpP0_GTnUYQtqa0OE3qf3Z5_AmKWfyA@mail.gmail.com> <CADajj4YxgdNXkWX7dLP0nBDWXLSKFa8M_KWWCPCgfCibYtWkAw@mail.gmail.com> <CAHw9_i+_T8ihVobQyPqeoOV-EJxS4eOza865ag_uLx_FM8Jgig@mail.gmail.com> <alpine.DEB.2.20.2001211716450.7252@grey.csi.cam.ac.uk> <CAHw9_iKC06_5enbTHb2Q3EUSDGgArZ43xvDEaT5Ft6jWcnXArA@mail.gmail.com> <CAHw9_iLT1sbyV_CEBjy20b9Wgaj8dkj3mKgSZOe5WUy9DjLSFw@mail.gmail.com>
In-Reply-To: <CAHw9_iLT1sbyV_CEBjy20b9Wgaj8dkj3mKgSZOe5WUy9DjLSFw@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
Date: Thu, 06 Feb 2020 10:24:46 -0500
Message-ID: <CAHw9_i+r+1Yd83baSsqkNS3eQtn-z=gQTya+w5Zo+ORwPG7p=g@mail.gmail.com>
To: draft-ietf-dnsop-rfc2845bis@ietf.org
Cc: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/n4QVQ6HmLYdTxoneeu9jBZ4-Llk>
Subject: Re: [DNSOP] [secdir] Secdir review of draft-ietf-dnsop-rfc2845bis-06
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2020 15:25:28 -0000

Authors,

It has been 2 weeks - when can we expect to see an update?
W

On Thu, Jan 23, 2020 at 7:29 PM Warren Kumari <warren@kumari.net> wrote:
>
> Great, I'll take the silence as wide endorsement, and ask that the
> authors update the document with this text (or something similar...) -
> I'll then start IESG Eval.
>
> Thanks again to Tony for the text, and Magnus for the review,
> W
>
>
> On Tue, Jan 21, 2020 at 3:46 PM Warren Kumari <warren@kumari.net> wrote:
> >
> > On Tue, Jan 21, 2020 at 12:31 PM Tony Finch <dot@dotat.at> wrote:
> > >
> > > Warren Kumari <warren@kumari.net> wrote:
> > > >
> > > > I don't think that it is realistic to deprecate SHA-1 in TSIG for the
> > > > foreseeable future, but stronger recommendations about moving to
> > > > SHA-256 might be in order.
> > >
> > > Yes.
> > >
> > > > There is already some text:
> > >
> > > For context, the preceding paragraph says:
> > >
> > >    The only message digest algorithm specified in the first version of
> > >    these specifications [RFC2845] was "HMAC-MD5" (see [RFC1321],
> > >    [RFC2104]).  Although a review of its security [RFC6151] concluded
> > >    that "it may not be urgent to remove HMAC-MD5 from the existing
> > >    protocols", with the availability of more secure alternatives the
> > >    opportunity has been taken to make the implementation of this
> > >    algorithm optional.
> > >
> > > >    The use of SHA-1 [FIPS180-4], [RFC3174], (which is a 160-bit hash as
> > > >    compared to the 128 bits for MD5), and additional hash algorithms in
> > > >    the SHA family [FIPS180-4], [RFC3874], [RFC6234] with 224, 256, 384,
> > > >    and 512 bits may be preferred in some cases.  This is because
> > > >    increasingly successful cryptanalytic attacks are being made on the
> > > >    shorter hashes.
> > >
> > > I think the quoted paragraph should say something like:
> > >
> > >    [RFC4635] added mandatory support in TSIG for SHA-1 [FIPS180-4],
> > >    [RFC3174]. SHA-1 collisions have been demonstrated so the MD5
> > >    security considerations apply to SHA-1 in a similar manner.
> > >
> > >    Although support for hmac-sha1 in TSIG is still mandatory for
> > >    compatibility reasons, existing uses should be replaced with
> > >    hmac-sha256 or other SHA-2 digest algorithms [FIPS180-4], [RFC3874],
> > >    [RFC6234].
> > >
> > > Tony.
> >
> >
> > Oooh. I like it - that seems to address both my, and (presumably!)
> > Magnus' concerns -- anyone object / have any additions?
> >
> > W
> >
> > > --
> > > f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
> > > German Bight: West veering northwest 4 or 5. Slight or moderate. Occasional
> > > drizzle. Good, occasionally poor.
> >
> >
> >
> > --
> > I don't think the execution is relevant when it was obviously a bad
> > idea in the first place.
> > This is like putting rabid weasels in your pants, and later expressing
> > regret at having chosen those particular rabid weasels and that pair
> > of pants.
> >    ---maf
>
>
>
> --
> I don't think the execution is relevant when it was obviously a bad
> idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair
> of pants.
>    ---maf



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email