IETF Logo Mail Archive

Re: [keyassure] Opening issue #21: "Need to specify which crypto

Sean Turner <turners@ieca.com> Thu, 03 March 2011 00:49 UTC

Return-Path: <turners@ieca.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AD9873A6920 for <keyassure@core3.amsl.com>; Wed, 2 Mar 2011 16:49:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.522
X-Spam-Level:
X-Spam-Status: No, score=-102.522 tagged_above=-999 required=5 tests=[AWL=0.076, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hxRyReh62ZsD for <keyassure@core3.amsl.com>; Wed, 2 Mar 2011 16:49:29 -0800 (PST)
Received: from nm29.bullet.mail.ac4.yahoo.com (nm29.bullet.mail.ac4.yahoo.com [98.139.52.226]) by core3.amsl.com (Postfix) with SMTP id 72F463A6919 for <keyassure@ietf.org>; Wed, 2 Mar 2011 16:49:29 -0800 (PST)
Received: from [98.139.52.193] by nm29.bullet.mail.ac4.yahoo.com with NNFMP; 03 Mar 2011 00:50:33 -0000
Received: from [98.139.52.156] by tm6.bullet.mail.ac4.yahoo.com with NNFMP; 03 Mar 2011 00:50:33 -0000
Received: from [127.0.0.1] by omp1039.mail.ac4.yahoo.com with NNFMP; 03 Mar 2011 00:50:33 -0000
X-Yahoo-Newman-Id: 550574.24918.bm@omp1039.mail.ac4.yahoo.com
Received: (qmail 27278 invoked from network); 3 Mar 2011 00:50:33 -0000
Received: from thunderfish.local (turners@96.241.2.32 with plain) by smtp114.biz.mail.mud.yahoo.com with SMTP; 02 Mar 2011 16:50:32 -0800 PST
X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ
X-YMail-OSG: VYwpaYIVM1ldnr5Fvs74NmHb8svPm9r7forTUBbgtxrKMcW Xn45pSblKWkFIBpPEHutTIbOgSC0maqGwfYa9Q0kibNhRQHNJerWTBqAZ9tg 7tlUOiaRw9s6XCMgtV7nErSwJs2Zk7NUkI4kP37sHLHkYgs7ufIXOjtCK.Zd tBRSzp9jz_skKEK5pMI0rjPhpUwceNk.hMBMckBs.gWUTnLT.kVM6pCwKJK_ o_ZTXZYUNZenljwHielIPd5pqO9O9gcXgFpSfiNzu7xDtgL70_mVb4ZOKsV_ D5CNj20dSQGvvMFM1jlz.WhFpiBaip.vKkVgADaqS_TCmrmP.efOE1w4a5No t.pwLUkxfGJ7ZjVBmqChtRNfjCpNpkb08qA--
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4D6EE5D7.4080108@ieca.com>
Date: Wed, 02 Mar 2011 19:50:31 -0500
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.14) Gecko/20110221 Lightning/1.0b2 Thunderbird/3.1.8
MIME-Version: 1.0
To: Phillip Hallam-Baker <hallam@gmail.com>
References: <AANLkTimGsc38B+2R03CiW2TzKoiHvj_7NLs0gD=340Tw@mail.gmail.com> <201103011815.p21IFukr020670@fs4113.wdf.sap.corp> <AANLkTinE1QqjqY5g+nQtq3hKD7z5spkuFqsT=9tmB+WR@mail.gmail.com> <4D6D7551.3070606@vpnc.org> <AANLkTi=gzGr9qiP0mF-FGqhQnv5n1iyVZU1Ch12JK=ou@mail.gmail.com> <65BDECDA-2A61-49E0-A2DA-8E2E5162C0C8@kumari.net>
In-Reply-To: <65BDECDA-2A61-49E0-A2DA-8E2E5162C0C8@kumari.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: keyassure@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [keyassure] Opening issue #21: "Need to specify which crypto
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2011 00:49:30 -0000

On 3/2/11 6:43 PM, Warren Kumari wrote:
>
> On Mar 2, 2011, at 6:24 PM, Phillip Hallam-Baker wrote:
>
>> There is currently no evidence that SHA2-256 is unacceptably weak.
>>
>> However it is based on the same construction as MD4, MD5 and SHA1. And
>> thus the reason for the current NIST competition.
>>
>>
>> Since the NIST competition is not currently complete, there is
>> currently no viable alternative to SHA2. While there are other
>> algorithms in use, I would expect the competition to supersede those
>> as well.
>>
>> I think that what we should do here is
>>
>> 1) Make support for SHA2-256 and SHA2-384 REQUIRED
>> 2) Ensure that it is feasible to transition from use of SHA2 to a new
>> algorithm
>
> <no hats>
> Shouldn't this be much much more general? "Ensure that it is feasible to
> transition to new algorithms"? <note: I don't know how we do this, but I
> also don't see why "from SHA2" would be a special case>
>
>> 3) Deprecate use of MD2,MD4,MD5 and SHA1.
>>
>
> Um, I'm confused by number 3 -- I think that the only things we need to
> do *here* is decide what we *do* support....
> Deprecating the use of other things, while fine and good, doesn't need
> to happen *here* if we don't support them...
>
> W
> </no hats>

#3 is kind of taken care of.  MD2 and MD4 are being made historic:

http://datatracker.ietf.org/doc/draft-turner-md2-to-historic/
http://datatracker.ietf.org/doc/draft-turner-md4-to-historic/

and the security considerations for MD5 were updated:

http://datatracker.ietf.org/doc/draft-turner-md5-seccon-update/

spt

>>
>> The second point is really rather important since even though it is
>> possible to emit bit strings that use SHA2 in protocols such as SSL
>> and S/MIME, it is not feasible to use them in practice because there
>> is no way to know whether the other party is one of those which is
>> capable of using them.
>>
>> On Tue, Mar 1, 2011 at 5:38 PM, Paul Hoffman <paul.hoffman@vpnc.org>
>> wrote:
>>> On 3/1/11 1:37 PM, Phillip Hallam-Baker wrote:
>>>>
>>>> This particular topic is one on which the Security ADs and the IETF
>>>> chair have very very specific opinions on. And given their role in
>>>> trying to effect an industry wide transition to stronger algorithms, I
>>>> think that they are quite right to insist on them.
>>>
>>> If you can quote previous statements from any of them suggesting that
>>> SHA-256 is suspect, that would be more useful than you simply suggesting
>>> that they had said something. It would be useful to this discussion
>>> for each
>>> of us to speak only for ourselves and for those who have asked us to
>>> speak
>>> for them, or to quote others whom we think are authorities.
>>> _______________________________________________
>>> keyassure mailing list
>>> keyassure@ietf.org
>>> https://www.ietf.org/mailman/listinfo/keyassure
>>>
>>
>>
>>
>> --
>> Website: http://hallambaker.com/
>> _______________________________________________
>> keyassure mailing list
>> keyassure@ietf.org
>> https://www.ietf.org/mailman/listinfo/keyassure
>>
>
> --
> We know about as much about software quality problems as they knew about
> the Black Plague in the 1600s. We've seen the victims' agonies and
> helped burn the corpses. We don't know what causes it; we don't really
> know if there is only one disease. We just suffer -- and keep pouring
> our sewage into our water supply.
>
> -- Tom Van Vleck
>
>
>
>
> _______________________________________________
> keyassure mailing list
> keyassure@ietf.org
> https://www.ietf.org/mailman/listinfo/keyassure
>

v2.23.0 | Report a Bug | By Email