Re: [keyassure] Opening issue #21: "Need to specify which crypto
Phillip Hallam-Baker <hallam@gmail.com> Wed, 02 March 2011 17:03 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C9C013A6774 for <keyassure@core3.amsl.com>; Wed, 2 Mar 2011 09:03:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.57
X-Spam-Level:
X-Spam-Status: No, score=-3.57 tagged_above=-999 required=5 tests=[AWL=0.029, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ngqeWKsZ-1et for <keyassure@core3.amsl.com>; Wed, 2 Mar 2011 09:03:52 -0800 (PST)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by core3.amsl.com (Postfix) with ESMTP id 7864C3A6848 for <keyassure@ietf.org>; Wed, 2 Mar 2011 09:03:52 -0800 (PST)
Received: by bwz13 with SMTP id 13so403677bwz.31 for <keyassure@ietf.org>; Wed, 02 Mar 2011 09:04:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=oCGM7MyzhoQkJ7ub0s8ceb0uiD1kp/VMgUgXVpAOGy0=; b=bzhEtdMwr5nrAkPIyg/ehqx5tY3J7OUV8j0z629L4qVILEcgKzFt7Q1JYCeZMZFjhS STzf1fETrlt4OyZmUxT/X5YkNSRVi/xbe/GgdL5BKKvogvpkuQKiqzb3C9A8ZwWHEGGh 0f7xAh3WzzciC+rWWSWxWuVYu+IUy7rW/n/0I=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=mCiK46G0ztG5ucJfCLkzY3QvKFvs/gsJlXtczJbN1PPe+t++jucs4WwPEYfUQvmeHm 8Ohief/Kffro9MRkIIrDoLtoLkrPlQI7+NFmwFF/EvciCMlntZDXg4Zd6WSAvU/j+hPX Q+mwiMvO9GKUsMgFEJsU5+J9ltqKLqOuuP6Gg=
MIME-Version: 1.0
Received: by 10.204.73.160 with SMTP id q32mr226644bkj.155.1299085496782; Wed, 02 Mar 2011 09:04:56 -0800 (PST)
Received: by 10.204.14.139 with HTTP; Wed, 2 Mar 2011 09:04:56 -0800 (PST)
In-Reply-To: <201103021529.p22FTFOu002845@fs4113.wdf.sap.corp>
References: <201103020150.p221owI6017784@fs4113.wdf.sap.corp> <201103021529.p22FTFOu002845@fs4113.wdf.sap.corp>
Date: Wed, 02 Mar 2011 12:04:56 -0500
Message-ID: <AANLkTikHANKvT49P5RUwjxRt5oEMFxV5dYQLcCXixLSA@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: mrex@sap.com
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: keyassure@ietf.org
Subject: Re: [keyassure] Opening issue #21: "Need to specify which crypto
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Mar 2011 17:03:53 -0000
The use of MD2 in a self signed cert has little risk as far as use of the cert itself goes since it only serves as proof of possession which is only relevant when the browser provider chooses to install it in the browser. Under windows the cert is actually authenticated under the CTL structure which uses SHA1 at the least. There are certainly issues with MD2, but that is not one of them. Argument by analogy is a really bad way to conduct a security review. We are not at all happy with the situation with respect to digets algorithms. Moving away from SHA1 is going to be a huge problem for the industry. If anyone here thinks that DANE is going to be allowed to add to that problem, well they need learning otherwise. Choice of the crypto alg is meant to be the easy part of the problem. On Wed, Mar 2, 2011 at 10:29 AM, Martin Rex <mrex@sap.com> wrote: > Martin Rex wrote: >> >> And there are still a number of TrustAnchors in every Browser that >> carry an md5WithRsaEncryption signature. >> >> But it's actually worse than that -- VeriSign still has a CA cert >> in service with an md2WithRsaEncryption -- and is still using it >> productively (check https://www.hp.com/). > > I'm terribly sorry, I mixed up the (by now long) list of VeriSign > RootCA certs. > > The RootCA cert under which the server cert for https://www.hp.com > is "VeriSign Class 3 Public Primary Certification Authority - G2" > and uses sha1WithRsaEncryption. But it still is an X.509v1 cert. > > My Firefox 3.5.13 comes with these three VeriSign RooCA certs > that are X.509v1, use md2WithRsaSignature and valid until 02-Aug-2028: > > "VeriSign Class 1 Public Primary Certification Authority" > "VeriSign Class 2 Public Primary Certification Authority" > "VeriSign Class 3 Public Primary Certification Authority" > > > -Martin > -- Website: http://hallambaker.com/
- [keyassure] Opening issue #21: "Need to specify w… Warren Kumari
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Jakob Schlyter
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Martin Rex
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Martin Rex
- Re: [keyassure] Opening issue #21: "Need to speci… Martin Rex
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Martin Rex
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Stephen Farrell
- Re: [keyassure] Opening issue #21: "Need to speci… Nicholas Weaver
- Re: [keyassure] Opening issue #21: "Need to speci… Chris Palmer
- Re: [keyassure] Opening issue #21: "Need to speci… Stephen Farrell
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Nicholas Weaver
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Stephen Farrell
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Scott Schmit
- Re: [keyassure] Opening issue #21: "Need to speci… Stephen Farrell
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Warren Kumari
- Re: [keyassure] Opening issue #21: "Need to speci… Sean Turner
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Martin Rex
- [keyassure] crypto hash alg deprecation is a myth Martin Rex
- Re: [keyassure] crypto hash alg deprecation is a … Rob Stradling
- Re: [keyassure] crypto hash alg deprecation is a … Phillip Hallam-Baker
- Re: [keyassure] crypto hash alg deprecation is a … Andrew Sullivan
- Re: [keyassure] Opening issue #21: "Need to speci… Warren Kumari
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] crypto hash alg deprecation is a … Peter Gutmann
- Re: [keyassure] Opening issue #21: "Need to speci… Peter Gutmann
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Nicholas Weaver
- Re: [keyassure] Opening issue #21: "Need to speci… Yoav Nir
- Re: [keyassure] Opening issue #21: "Need to speci… Peter Gutmann
- Re: [keyassure] Opening issue #21: "Need to speci… Andrew Sullivan
- Re: [keyassure] Opening issue #21: "Need to speci… Martin Rex
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Peter Gutmann
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Andrew Sullivan
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… bmanning
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Murray S. Kucherawy
- Re: [keyassure] Opening issue #21: "Need to speci… Murray S. Kucherawy
- Re: [keyassure] Opening issue #21: "Need to speci… Ben Laurie
- Re: [keyassure] Opening issue #21: "Need to speci… Jakob Schlyter
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… George Barwood
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Jakob Schlyter
- Re: [keyassure] Opening issue #21: "Need to speci… Martin Rex
- Re: [keyassure] Opening issue #21: "Need to speci… Yoav Nir
- Re: [keyassure] Opening issue #21: "Need to speci… Chris Palmer
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Warren Kumari
- Re: [keyassure] Opening issue #21: "Need to speci… Chris Palmer
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Chris Palmer
- Re: [keyassure] Opening issue #21: "Need to speci… Peter Gutmann
- Re: [keyassure] Opening issue #21: "Need to speci… bmanning
- Re: [keyassure] Opening issue #21: "Need to speci… Brian Smith
- Re: [keyassure] Opening issue #21: "Need to speci… Jakob Schlyter
- Re: [keyassure] Opening issue #21: "Need to speci… Ben Laurie
- Re: [keyassure] Opening issue #21: "Need to speci… Rob Stradling
- Re: [keyassure] Opening issue #21: "Need to speci… George Barwood
- Re: [keyassure] Opening issue #21: "Need to speci… Sean Turner
- Re: [keyassure] Opening issue #21: "Need to speci… Nicholas Weaver
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Martin Rex
- Re: [keyassure] Opening issue #21: "Need to speci… bmanning
- Re: [keyassure] Opening issue #21: "Need to speci… bmanning
- Re: [keyassure] Opening issue #21: "Need to speci… Yoav Nir
- Re: [keyassure] Opening issue #21: "Need to speci… Phillip Hallam-Baker
- Re: [keyassure] Opening issue #21: "Need to speci… Chris Palmer
- Re: [keyassure] Opening issue #21: "Need to speci… Peter Gutmann
- Re: [keyassure] Opening issue #21: "Need to speci… Peter Gutmann
- Re: [keyassure] Opening issue #21: "Need to speci… Peter Gutmann
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Warren Kumari
- Re: [keyassure] Opening issue #21: "Need to speci… Paul Hoffman
- Re: [keyassure] Opening issue #21: "Need to speci… Warren Kumari
- Re: [keyassure] Opening issue #21: "Need to speci… Tony Hansen