Re: [keyassure] crypto hash alg deprecation is a myth
Phillip Hallam-Baker <hallam@gmail.com> Thu, 03 March 2011 13:56 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AF1743A67F2 for <keyassure@core3.amsl.com>; Thu, 3 Mar 2011 05:56:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.573
X-Spam-Level:
X-Spam-Status: No, score=-3.573 tagged_above=-999 required=5 tests=[AWL=0.026, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ups5W+vSwXD9 for <keyassure@core3.amsl.com>; Thu, 3 Mar 2011 05:56:08 -0800 (PST)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by core3.amsl.com (Postfix) with ESMTP id 1B1363A6964 for <keyassure@ietf.org>; Thu, 3 Mar 2011 05:55:57 -0800 (PST)
Received: by bwz13 with SMTP id 13so1356013bwz.31 for <keyassure@ietf.org>; Thu, 03 Mar 2011 05:57:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=KmcpZkRfN3ABJA711hWFzFBebWUIKRFmUBjcWFE9cyc=; b=f+/QXsAvF2wH+75q1Gq/35sSH3trE6/haZimwktdxP7sfl1aMKbK2Juz6Jwss40wmP 1n+iU7J/1UO2J4lbdS2Uo0FfVnMsy8E6VjkQjTiFsmRsOjRi6tbmSc4XKWu4R0DdaDKD 9j8FwmLYqcygS5IYD3EI7CYo7sdwsTy+nOAmk=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=Ct47dm5z74poEQ5WZ+D/JaB+1JW2pkmjbsmWZiTdg7d1TL16jY3a8jXlYXRhmxbQim i/EAUCz4j6gLmTo/t2D2fH33kwy5gzMiJ8G27bUS47Wet/EVNL2y9ACT3xhbmhCFIGU6 leicUWmjRnlGiXyiiXPN+PHXidGNRPyIcZ+Zg=
MIME-Version: 1.0
Received: by 10.204.126.99 with SMTP id b35mr1420144bks.168.1299160625011; Thu, 03 Mar 2011 05:57:05 -0800 (PST)
Received: by 10.204.14.139 with HTTP; Thu, 3 Mar 2011 05:57:04 -0800 (PST)
In-Reply-To: <201103030746.53024.rob.stradling@comodo.com>
References: <201103030509.p2359FSK025866@fs4113.wdf.sap.corp> <201103030746.53024.rob.stradling@comodo.com>
Date: Thu, 03 Mar 2011 08:57:04 -0500
Message-ID: <AANLkTimgvJ5G4NystNrBUXdq2rNkp8THC1tPGQEfV97T@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Rob Stradling <rob.stradling@comodo.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Cc: keyassure@ietf.org
Subject: Re: [keyassure] crypto hash alg deprecation is a myth
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2011 13:56:11 -0000
On another algorithm issue, certain people were waiting for CAs to support the new algorithm before implementing them in application software. By support, they meant issue certificates that would break with their software. The reason that there is concern about algorithm support in protocols is that it takes a very very long time to get changes through the system. It can take five years to persuade vendors to make changes and then another ten for the old software to work through the system. Auto update helps, but that may only prove to be a temporary change. There are enough applications out there that do auto update very badly that people are being taught to turn them off. One of the very few signals available that is listened to is to stop supporting old algorithms in new protocols. On Thu, Mar 3, 2011 at 2:46 AM, Rob Stradling <rob.stradling@comodo.com> wrote: > On Thursday 03 Mar 2011 05:09:15 Martin Rex wrote: >> Phillip Hallam-Baker wrote: >> > Further, even though we stopped using MD5 in the mid 90s >> > <snip> >> Firefox happily verifies md5WithRsaEncryption signatures on TLS server >> certs. > > Not for much longer. > > https://wiki.mozilla.org/CA:MD5and1024 says: > " * June 30, 2011 – Mozilla will stop accepting MD5 as a hash algorithm for > intermediate and end-entity certificates. After this date software published > by Mozilla will return an error when a certificate with an MD5-based signature > is used. > o This change is being tracked in > https://bugzilla.mozilla.org/show_bug.cgi?id=590364" > > <snip> >> MSIE 8 on Windows 7 (and prior) will happily talk to TLS servers >> using certs signed not only with md5WithRsaSignature, but also >> md2WithRsaSignature and even (**cough**) md4WithRsaSignature! > > http://technet.microsoft.com/en-us/library/cc751157.aspx#EMAA says: > "In the event of an imminent MD5 pre-image attack > Microsoft may update Windows to reject all MD2, MD4 or MD5 end-entity and > subordinate CA certificates when it has reasons to believe that successful MD5 > pre-image attacks are imminent." > > Perhaps somebody should ask them to consider switching off MD2 and MD4 sooner > than that. > > <snip> >> (If it is possible to disable md5WithRsaEncryption signature verification >> in Firefox 3.5 -- then it is sufficiently well hidden that I don't >> see it.) > > https://bugzilla.mozilla.org/show_bug.cgi?id=590364 suggests setting the > following environment variable: > > NSS_HASH_ALG_SUPPORT=-MD2,-MD5 > > <snip> > > Rob Stradling > Senior Research & Development Scientist > COMODO - Creating Trust Online > -- Website: http://hallambaker.com/
- [keyassure] Opening issue #21: "Need to specify w… Warren Kumari
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Jakob Schlyter
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Martin Rex
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Martin Rex
- Re: [keyassure] Opening issue #21: "Need to speci… Martin Rex
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Martin Rex
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Stephen Farrell
- Re: [keyassure] Opening issue #21: "Need to speci… Nicholas Weaver
- Re: [keyassure] Opening issue #21: "Need to speci… Chris Palmer
- Re: [keyassure] Opening issue #21: "Need to speci… Stephen Farrell
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Nicholas Weaver
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Stephen Farrell
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Scott Schmit
- Re: [keyassure] Opening issue #21: "Need to speci… Stephen Farrell
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Warren Kumari
- Re: [keyassure] Opening issue #21: "Need to speci… Sean Turner
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Martin Rex
- [keyassure] crypto hash alg deprecation is a myth Martin Rex
- Re: [keyassure] crypto hash alg deprecation is a … Rob Stradling
- Re: [keyassure] crypto hash alg deprecation is a … Phillip Hallam-Baker
- Re: [keyassure] crypto hash alg deprecation is a … Andrew Sullivan
- Re: [keyassure] Opening issue #21: "Need to speci… Warren Kumari
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] crypto hash alg deprecation is a … Peter Gutmann
- Re: [keyassure] Opening issue #21: "Need to speci… Peter Gutmann
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Nicholas Weaver
- Re: [keyassure] Opening issue #21: "Need to speci… Yoav Nir
- Re: [keyassure] Opening issue #21: "Need to speci… Peter Gutmann
- Re: [keyassure] Opening issue #21: "Need to speci… Andrew Sullivan
- Re: [keyassure] Opening issue #21: "Need to speci… Martin Rex
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Peter Gutmann
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Andrew Sullivan
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… bmanning
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Murray S. Kucherawy
- Re: [keyassure] Opening issue #21: "Need to speci… Murray S. Kucherawy
- Re: [keyassure] Opening issue #21: "Need to speci… Ben Laurie
- Re: [keyassure] Opening issue #21: "Need to speci… Jakob Schlyter
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… George Barwood
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Jakob Schlyter
- Re: [keyassure] Opening issue #21: "Need to speci… Martin Rex
- Re: [keyassure] Opening issue #21: "Need to speci… Yoav Nir
- Re: [keyassure] Opening issue #21: "Need to speci… Chris Palmer
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Warren Kumari
- Re: [keyassure] Opening issue #21: "Need to speci… Chris Palmer
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Chris Palmer
- Re: [keyassure] Opening issue #21: "Need to speci… Peter Gutmann
- Re: [keyassure] Opening issue #21: "Need to speci… bmanning
- Re: [keyassure] Opening issue #21: "Need to speci… Brian Smith
- Re: [keyassure] Opening issue #21: "Need to speci… Jakob Schlyter
- Re: [keyassure] Opening issue #21: "Need to speci… Ben Laurie
- Re: [keyassure] Opening issue #21: "Need to speci… Rob Stradling
- Re: [keyassure] Opening issue #21: "Need to speci… George Barwood
- Re: [keyassure] Opening issue #21: "Need to speci… Sean Turner
- Re: [keyassure] Opening issue #21: "Need to speci… Nicholas Weaver
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Martin Rex
- Re: [keyassure] Opening issue #21: "Need to speci… bmanning
- Re: [keyassure] Opening issue #21: "Need to speci… bmanning
- Re: [keyassure] Opening issue #21: "Need to speci… Yoav Nir
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Chris Palmer
- Re: [keyassure] Opening issue #21: "Need to speci… Peter Gutmann
- Re: [keyassure] Opening issue #21: "Need to speci… Peter Gutmann
- Re: [keyassure] Opening issue #21: "Need to speci… Peter Gutmann
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Warren Kumari
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Warren Kumari
- Re: [keyassure] Opening issue #21: "Need to speci… Tony Hansen