Re: [Int-dir] Intdir last call review of draft-ietf-tls-md5-sha1-deprecate-04

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Mon, 02 November 2020 11:53 UTC

Return-Path: <evyncke@cisco.com>
X-Original-To: int-dir@ietfa.amsl.com
Delivered-To: int-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34A4D3A0E54; Mon, 2 Nov 2020 03:53:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=hzQoW9R+; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=V5JguDvO
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zJbbFxTDu8t2; Mon, 2 Nov 2020 03:53:37 -0800 (PST)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D93E63A0E47; Mon, 2 Nov 2020 03:53:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4012; q=dns/txt; s=iport; t=1604318016; x=1605527616; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=TTMwbhOTvxQMBDIqIYtyrsgdCyv3DpkNpYpaJRFeNbs=; b=hzQoW9R+ABz+CZTNEbq4oTYAXytn7+bYDRZSdbcn41OWyWnauTsq6/zh ZaE85Pwt9VHj68jN9Hcprj1Yi89ScjMApsXWeHNZt8D8MXwFx92GTuv4s LiyLWQ99EFYjHoCdx6pmCj0hsrn8GnlBd9u+TOoYyogua/WmdNi2PwmR+ 0=;
IronPort-PHdr: =?us-ascii?q?9a23=3ANIaDvh3TKwwLeNyysmDT+zVfbzU7u7jyIg8e44?= =?us-ascii?q?YmjLQLaKm44pD+JxWGuadjkVDUUMPQ7PcXw+bVsqW1X2sG7N7BtX0Za5VDWl?= =?us-ascii?q?cDjtlehA0vBsOJSCiZZP7nZiA3BoJOAVli+XzoP1VaBcu4bFrX8TW+6DcIEU?= =?us-ascii?q?D5Mgx4bu3+Bo/ViZGx0Oa/s53eaglFnnyze7R3eR63tg7W8MIRhNhv?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0C6CQDE8Z9f/5hdJa1iHgE8DAILFYM?= =?us-ascii?q?hKSgHcFkvLoQ9g0kDjU+Yf4JTA1QLAQEBDQEBGAsKAgQBAYRKAheBcQIlOBM?= =?us-ascii?q?CAwEBCwEBBQEBAQIBBgRxhWEMhXIBAQEEAQEQEREMAQEsCwELBAIBCA4DAwE?= =?us-ascii?q?CAwImAgICJQsUAQgIAgQBDQUigwQBgksDLgEOoy8CgTuIaHaBMoMEAQEFhS0?= =?us-ascii?q?YghADBoEOKoJyg3GGVxuBQT+BESccgVFQLj6CXQEBhHYzgiyTZKQ+CoJslXe?= =?us-ascii?q?FDwMfoWqTSqA/AgQCBAUCDgEBBYFrI4FXcBU7KgGCPlAXAg2OKgIWgQIBDoI?= =?us-ascii?q?9hRSFRHQ4AgYBCQEBAwl8jUwBAQ?=
X-IronPort-AV: E=Sophos;i="5.77,444,1596499200"; d="scan'208";a="566869338"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 02 Nov 2020 11:53:19 +0000
Received: from XCH-RCD-001.cisco.com (xch-rcd-001.cisco.com [173.37.102.11]) by rcdn-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 0A2Br0QS030087 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 2 Nov 2020 11:53:18 GMT
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by XCH-RCD-001.cisco.com (173.37.102.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 2 Nov 2020 05:53:17 -0600
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 2 Nov 2020 06:53:17 -0500
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 2 Nov 2020 05:53:17 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Wpo9lfvqGaC5CafokEvcoldqz8vOlZ4/D3chhVb7F4FJ+5R23QVWfCTSHF/9p4SiCdQK37b1Wq0+yuo5N/SF0iR2YeEpG3Dsvze7zNlWr1rwXY9Bgz/du9Gypx88KmdkmLDzLt+F53XsKLXmAVbvacHg9cdpts/R/Kj3uNPGaXCwyC61cZawd545HA5ui/LjROe7HdO1D5QJhuFHWAWylI76v5XkkwxhePH7rQ92QvokV+SfdehJseOJ2hN4Jwm4L71AXOnlMlp1oZPGXMvR+IeXZvOtmNENVENqRaAJkBzItTz2gDbksmd0orT5dSX73TsT6Qgd3fkR9XIjE/EEaA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TTMwbhOTvxQMBDIqIYtyrsgdCyv3DpkNpYpaJRFeNbs=; b=JVcjjdC32IDQgbxC5devzb1lN5x5ZFLfRrwDHJHQvJr7KFT8JRAnb74BgXX4ZkqDyBUoBn30bgqoAOqGOjMB9GBnB4jU4t+n1pIeJJOLTXOdlFXB6GMsFwclhqYq10BPWT/y+r9M8udBVmORmbJrgkCkcRS7TdzErK0OZkTqv43akfqqqKnbHi38nrizWWBxdxYnq8fim1XljSdleE3nazHHocBfJWdJfcICOkLsEp9n0IpPhSxQmT7uCEaaBW6WWBmI3iOgoZIUzAH38mxcbjN3j+0iNbrxqtjmXasBmH2c04fT7yTIWLwPauQ/ibrJtvNHe3jbhIwLZyZchhc08w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TTMwbhOTvxQMBDIqIYtyrsgdCyv3DpkNpYpaJRFeNbs=; b=V5JguDvOA+QF9Icw7i4Bkqqjo6kIxGnz2HwDMpkBfctZPRDRsFRE8QpW/Lk3MlRz24FqIK14MjN9/T/HKOWahYq0UbXE71z3WFdVonZc7sH7rsXiiSzHtwmYILYHsH0lSZ0pPS/KIR9IbXz9ptaeJ3CxOdSUzpyM4zS/uTO57Eo=
Received: from PH0PR11MB4966.namprd11.prod.outlook.com (2603:10b6:510:42::21) by PH0PR11MB5157.namprd11.prod.outlook.com (2603:10b6:510:3d::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.18; Mon, 2 Nov 2020 11:53:17 +0000
Received: from PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::453b:b2f5:ec29:410d]) by PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::453b:b2f5:ec29:410d%7]) with mapi id 15.20.3499.030; Mon, 2 Nov 2020 11:53:16 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Ted Lemon <mellon@fugue.com>, "int-dir@ietf.org" <int-dir@ietf.org>
CC: "draft-ietf-tls-md5-sha1-deprecate.all@ietf.org" <draft-ietf-tls-md5-sha1-deprecate.all@ietf.org>
Thread-Topic: [Int-dir] Intdir last call review of draft-ietf-tls-md5-sha1-deprecate-04
Thread-Index: AQHWrULudEAxlKcvd02WrRlio7Wxw6m007yA
Date: Mon, 2 Nov 2020 11:53:16 +0000
Message-ID: <1F448510-213F-4CC1-BFAD-9F9980CBF561@cisco.com>
References: <160390057302.19892.7954643072007013939@ietfa.amsl.com>
In-Reply-To: <160390057302.19892.7954643072007013939@ietfa.amsl.com>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.42.20101102
authentication-results: fugue.com; dkim=none (message not signed) header.d=none;fugue.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2001:420:c0c1:36:9ab:221:239d:17c2]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5feb3c3d-7b46-494c-60b5-08d87f25e2e3
x-ms-traffictypediagnostic: PH0PR11MB5157:
x-microsoft-antispam-prvs: <PH0PR11MB5157A667A58A396D2247226AA9100@PH0PR11MB5157.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: r+GSkOvNsXpb8Dt/izIU9ie4OqLR0L1dkGjevs0M7u37MiQaEI/UADoTQd+x5UBDiBANVo/OysZ/uD1VGg5sa2cM36li9UwqXKKgCeVXxmY5FrVCKPiEJ3yfPqT6NG+Cd/4P+6r8UJjC8824KmVk1YxnhO0QJqfKYi2Is/QccroeBSSE3hcP3oMTBr2yGN3xDNuLDyxmNFJsZQMsVrOW3Fcd/Jahxe73uMSK+stQIdSm6X+tDTPE97jxx6L0ce8Lf+Xo6JNW62LIQtq8tYEdROglTgWEGmHe4JDPuMFZPW3yq7cOR++3xKzguKyDI2jaIM5CDTqZpDmfOzz8rfBL6fC8obhYAJ2hG5Zl6ZYAxX6y9PZMCSjAXst3UQA3WoAr6aKThfOkQ4AqxK95pRsG1Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR11MB4966.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(346002)(39860400002)(396003)(366004)(136003)(66446008)(4326008)(64756008)(2616005)(76116006)(83380400001)(5660300002)(91956017)(8676002)(66556008)(66946007)(66476007)(6512007)(966005)(36756003)(8936002)(2906002)(53546011)(6486002)(6506007)(478600001)(186003)(71200400001)(86362001)(110136005)(316002)(33656002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: CW/QgFdPOnY3teGXSdDUmfWEIxhXRjIYpKRnkH7n5iA/e8HuGqYSUPGp3b4B1ulMzLVNZlK3dX3jLFbBYlP1CjQzmSaXRelecslFyP0QlFFiS/nSdAJzQSF7SRA8a33P4nhZoYuBsdxevoYt2cuwANSXjczuQnFmOLjmttj0KfqERMzN20cbbTuEzYc70nSBDbh5VcuPhjhAAjGdcRTcGYLRBJDyiTC8q+09z/TTvEYD4ge7bRW8aVvCGyCcciccLqzrU5kuyeeQuvguqJkOvhhCoVCEZLsew3XxHQygP5xBh5pzMPqoxsTBmpr1mjBTFVMit5ig8H7YP0PBjWxff+VeTzambOJpJWIwUtML0lw6TDbDwoC/Z4akxAfuI/zLUhRTn9nyIY53TKAozw153hx0GhrQ2yJ6z3k1jiGoQ7JdfYgvJg+2JxVO4S0AGWtPlRO2QiRxZscKJZ/rG5jRbMFvwlCaCcI1VxeTRe26YxLquNt2JccqbkToUY5B9KfmqtfL2Akm6DxYKdC6cTI9qcf9/3a06NTKXM8LruRXcavlr5KOjTNT2td+i/VlQreVHxj+k9ev90mrHdApVFv/9/Oi3UCCzp74rrwGjybb6HAuUwLM563+4b9JIwKzQFMntoei2PHLHJYjL6d00QkzmUIe+4rHnxrSDEKiWRhX8J37gyLTPgeb9YnQvuepErN7BQ0Jo5lOFaTLC/En2gVd/A==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <8C336D91CC9CA84DBB4549EBC859463B@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4966.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5feb3c3d-7b46-494c-60b5-08d87f25e2e3
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Nov 2020 11:53:16.8541 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 1YpHL9mfHedoW5eNHIuFf3iMSt6H71ezJlLCUQhHocTXbGmwbs8CSYm+Su/BsSvX4YQh6gQqaV7CXIVV/WW/3Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB5157
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.11, xch-rcd-001.cisco.com
X-Outbound-Node: rcdn-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-dir/4vXRlkbPr2kH8loRNozIXKjqZUA>
Subject: Re: [Int-dir] Intdir last call review of draft-ietf-tls-md5-sha1-deprecate-04
X-BeenThere: int-dir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This list is for discussion between the members of the Internet Area directorate." <int-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-dir>, <mailto:int-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-dir/>
List-Post: <mailto:int-dir@ietf.org>
List-Help: <mailto:int-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-dir>, <mailto:int-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Nov 2020 11:53:39 -0000

[-last-call -tls]

Thank you Ted for this Last Call review

-éric

-----Original Message-----
From: Int-dir <int-dir-bounces@ietf.org> on behalf of Ted Lemon via Datatracker <noreply@ietf.org>
Reply-To: Ted Lemon <mellon@fugue.com>
Date: Wednesday, 28 October 2020 at 16:56
To: "int-dir@ietf.org" <int-dir@ietf.org>
Cc: "last-call@ietf.org" <last-call@ietf.org>rg>, "draft-ietf-tls-md5-sha1-deprecate.all@ietf.org" <draft-ietf-tls-md5-sha1-deprecate.all@ietf.org>rg>, "tls@ietf.org" <tls@ietf.org>
Subject: [Int-dir] Intdir last call review of draft-ietf-tls-md5-sha1-deprecate-04

    Reviewer: Ted Lemon
    Review result: Ready with Nits

    This document is ready for publication, with one minor nit, which is included
    at the end.

    Éric additionally made the following request:
      As those hash algorithms were 'cheap' for TLS, I would appreciate a review of
      the impact if those algorithms are deprecated in TLS 1.2.

    I am not in a position to do any practical tests, but I will point out several
    things. First, deprecating MD5 is not going to cause a performance problem
    because it's slower than SHA1, so we really only need to worry about whether
    deprecating SHA1 will cause a problem. This document only deprecates SHA1 for
    use in digital signatures. It "does not deprecate SHA-1 in HMAC for record
    protection." Given the way TLS uses digital signatures, this should not be a
    serious concern. At worst case, SHA256 is about 24% slower than SHA1. Best case
    (shorter text) it is less than 16% slower. It's reasonable to expect that in
    common use in TLS, the texts being digested will be shorter, not longer.
    Further, the bulk of the computational burden of TLS is not in the generation
    of digests for digital signatures. Therefore it seems reasonable to expect that
    the performance impact of this change is vastly overshadowed by one of the very
    factors that motivates it: the increased speed of hash computation over time. 
    Even assuming constant speed legacy hardware, the performance impact is not
    sufficient to cause concern when considering it as part of the total system
    that would be using TLS 1.2.

    Nit:

    In the abstract:
       The MD5 and SHA-1 hashing algorithms are steadily weakening in
       strength and their deprecation process should begin for their use in
       TLS 1.2 digital signatures.

    Technically, the strength of these algorithms hasn't changed. What's changed is
    that their strength is no longer sufficient to prevent realistic attacks. So it
    might be better to say something like "The vulnerability of MD5 and SHA-1
    algorithms to practical attacks is steadly increasing and ..."



    _______________________________________________
    Int-dir mailing list
    Int-dir@ietf.org
    https://www.ietf.org/mailman/listinfo/int-dir