IETF Logo Mail Archive

Re: [MMUSIC] 4572 update: forbid weak hashes?

Christer Holmberg <christer.holmberg@ericsson.com> Thu, 07 April 2016 14:09 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F38EE12D0B9 for <mmusic@ietfa.amsl.com>; Thu, 7 Apr 2016 07:09:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 49hxAsQoHCGX for <mmusic@ietfa.amsl.com>; Thu, 7 Apr 2016 07:09:49 -0700 (PDT)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A7A312D09A for <mmusic@ietf.org>; Thu, 7 Apr 2016 07:09:48 -0700 (PDT)
X-AuditID: c1b4fb25-f79f86d00000400a-90-57066a2bcffa
Received: from ESESSHC021.ericsson.se (Unknown_Domain [153.88.183.81]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id FB.CC.16394.B2A66075; Thu, 7 Apr 2016 16:09:47 +0200 (CEST)
Received: from ESESSMB209.ericsson.se ([169.254.9.45]) by ESESSHC021.ericsson.se ([153.88.183.81]) with mapi id 14.03.0248.002; Thu, 7 Apr 2016 16:08:58 +0200
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Martin Thomson <martin.thomson@gmail.com>
Thread-Topic: [MMUSIC] 4572 update: forbid weak hashes?
Thread-Index: AQHRkMlvyALEPXgXDkKRhXLaT8/AmJ9+gkOg///n5gCAACIUsA==
Date: Thu, 07 Apr 2016 14:08:57 +0000
Message-ID: <7594FB04B1934943A5C02806D1A2204B37F27D6E@ESESSMB209.ericsson.se>
References: <4D60EE45-BECA-4A46-98EF-FF4AA482B42E@vidyo.com> <7594FB04B1934943A5C02806D1A2204B37F27B70@ESESSMB209.ericsson.se> <CABkgnnU0qwkUGLv4rkax3hbat9Fb6kXDH9TKZv3MukepN7PkmQ@mail.gmail.com>
In-Reply-To: <CABkgnnU0qwkUGLv4rkax3hbat9Fb6kXDH9TKZv3MukepN7PkmQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.150]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupjkeLIzCtJLcpLzFFi42KZGbE9UFc7iy3c4NlfOYv9i88zW1w784/R YuryxywOzB47Z91l91iy5CeTR9uzO+wBzFFcNimpOZllqUX6dglcGR9O3mcv6OOqWDvlKWsD 4xvOLkZ2DgkBE4lJal2MnECWmMSFe+vZuhi5OIQEjjBKHH57HcpZBORsXMvexcjBwSZgIdH9 TxukQURAV2LR2QfsIDazgJPEn533mEBKhAXMJK4dj4UoMZf42dDIAmE7SSw7sI0RxGYRUJF4 u30ymM0r4Cvxc8YMJohVxxklfp/aAjaTUyBQ4vSadWDNjEDHfT+1hglil7jErSfzmSCOFpBY suc8M4QtKvHy8T9WCFtJYsX2S4wg9zALaEqs36UP0aooMaX7ITvEXkGJkzOfsExgFJuFZOos hI5ZSDpmIelYwMiyilG0OLU4KTfdyFgvtSgzubg4P08vL7VkEyMwlg5u+a26g/HyG8dDjAIc jEo8vAr7WcOFWBPLiitzDzFKcDArifCuS2ELF+JNSaysSi3Kjy8qzUktPsQozcGiJM6bHfkv TEggPbEkNTs1tSC1CCbLxMEp1cAodGXrkQnmnu02+qY1B6dNrkr9YV2see3wrbefJLKbFTcq ettuUObcfHHaGrnbU3fJnFmitJv9hP2pUN/5FhNVlf+c7hGftLKxfs6EB2vqwtrUQi4fV5N+ cfjjPu8byUrBuht+sn331SsrvfvMaJeikt2KbsZaz8qHz2/ZtGzV+RF60kM74mSREktxRqKh FnNRcSIAgGLygKECAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/mmusic/19daHgqzcs9fn9hVPB7u7SOZbjU>
Cc: Jonathan Lennox <jonathan@vidyo.com>, mmusic <mmusic@ietf.org>
Subject: Re: [MMUSIC] 4572 update: forbid weak hashes?
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2016 14:09:52 -0000

Hi Martin,

I'd have to double check the MMUSIC minutes, but if I remember correctly people did not want to check multiple hashes (point 2).

Regards,

Christer

-----Original Message-----
From: Martin Thomson [mailto:martin.thomson@gmail.com] 
Sent: 07 April 2016 17:06
To: Christer Holmberg <christer.holmberg@ericsson.com>
Cc: Jonathan Lennox <jonathan@vidyo.com>; mmusic <mmusic@ietf.org>
Subject: Re: [MMUSIC] 4572 update: forbid weak hashes?

On 7 April 2016 at 10:35, Christer Holmberg <christer.holmberg@ericsson.com> wrote:
>>If we do this, it removes some of the questions about “do you need to verify a fingerprint for every >hash algorithm, or only one.”
>
> What about saying that one MUST match on the strongest hash received?

Maybe three pieces of advice are right.

1. Implement the strongest hash you can
2. Check all the hashes you can
3. Don't accept a session if you can only check weak hashes

v2.23.0 | Report a Bug | By Email