Re: [MMUSIC] 4572 update: forbid weak hashes?
Roman Shpount <roman@telurix.com> Mon, 25 April 2016 19:18 UTC
Return-Path: <roman@telurix.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E013B12D680 for <mmusic@ietfa.amsl.com>; Mon, 25 Apr 2016 12:18:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telurix-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KQMxoStqL15U for <mmusic@ietfa.amsl.com>; Mon, 25 Apr 2016 12:18:32 -0700 (PDT)
Received: from mail-ig0-x231.google.com (mail-ig0-x231.google.com [IPv6:2607:f8b0:4001:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9602E12D537 for <mmusic@ietf.org>; Mon, 25 Apr 2016 12:18:32 -0700 (PDT)
Received: by mail-ig0-x231.google.com with SMTP id bi2so75932122igb.0 for <mmusic@ietf.org>; Mon, 25 Apr 2016 12:18:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telurix-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=DNfSm22J/cyUxTG9QHPuAG49EVYpE0luiPnoI3JuUsk=; b=qUXMO+9VJabBNH6kktw+lDeo71m1KIvUg8H9I/ZWk2NoDTa+8YnImh0QnOld4Kxakw LF93Rvkq7Ions59VOSPKX9QhwTxLmObTmziCih4t8sObXP3ngBAnZoYGwtnBR6MZIPvt hcnAkvmdBE71Lcl0nhHENnsms+238HHBRX2VuHmi/QeR+iCHTDtnYVdFb8iVPgC0dwPj FfE9AN0OAJpo2pJhkmHZ6UWPIqfa8aKF+g8xCbr0wEgA6LzFW851IH5QsQyYw7uvwkiq aucOckrk78dqzak99fSHK8ZHxEK+h/7y0GGQpGcQk4jies28kawe906m3cpXwKfuOoDm hm+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=DNfSm22J/cyUxTG9QHPuAG49EVYpE0luiPnoI3JuUsk=; b=i7TGJ9YULn4irMlXdBHSKIvjmpiLLNcZZyJVKGB0DjPvK1wLP9dCRtzoGFFPLSaICi TRd7PK3YiJOogBW8oDf5VaOJTxMu8ZOlSVpbwRXFDAk0cQAHYnLwmFLT/htfvRZvBM/T iXoc/OUEAW+fXRxa74GB51F+nvzEii6hOU/WB8FqSQRsQmPzNLU8w2wFn7+zQb7x9jMK gkHFHrT4CdaX58gWoO89pPsaNye4D4KKYV7LTNiwQjG5xtuXNArDFFafkrOT9l20varE wMTNci03VXjyUFyqtcRLAd2OUH8ay4WV+rGSbd27PNIQ6io4cijZYYX0bt1dSX83RYQq yVjg==
X-Gm-Message-State: AOPr4FWdh3OJDTDnAoYdWW/WfJ4FziBRDO+5NhliDt3xQ1jMHvNHMxb6vPC0Q/0oJyWctw==
X-Received: by 10.50.171.66 with SMTP id as2mr14380466igc.57.1461611911830; Mon, 25 Apr 2016 12:18:31 -0700 (PDT)
Received: from mail-ig0-f177.google.com (mail-ig0-f177.google.com. [209.85.213.177]) by smtp.gmail.com with ESMTPSA id 90sm11948106ior.21.2016.04.25.12.18.31 for <mmusic@ietf.org> (version=TLSv1/SSLv3 cipher=OTHER); Mon, 25 Apr 2016 12:18:31 -0700 (PDT)
Received: by mail-ig0-f177.google.com with SMTP id u5so5003864igk.1 for <mmusic@ietf.org>; Mon, 25 Apr 2016 12:18:31 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.50.233.40 with SMTP id tt8mr14944990igc.78.1461611911000; Mon, 25 Apr 2016 12:18:31 -0700 (PDT)
Received: by 10.36.144.69 with HTTP; Mon, 25 Apr 2016 12:18:30 -0700 (PDT)
In-Reply-To: <7594FB04B1934943A5C02806D1A2204B37F7CD82@ESESSMB209.ericsson.se>
References: <4D60EE45-BECA-4A46-98EF-FF4AA482B42E@vidyo.com> <7594FB04B1934943A5C02806D1A2204B37F27B70@ESESSMB209.ericsson.se> <CABkgnnU0qwkUGLv4rkax3hbat9Fb6kXDH9TKZv3MukepN7PkmQ@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B37F27D6E@ESESSMB209.ericsson.se> <CAD5OKxtb4Ss8BzeBDMUs7V7Yfx3YC0U53JmhZLen1C2+FkyGog@mail.gmail.com> <4F76BA3A-A69A-473E-97DA-287E6E571324@iii.ca> <5707C985.5060809@alum.mit.edu> <CAD5OKxv57rSx1wok=d04k1gVaDz0188ijhc97XwZepdX2u9tVA@mail.gmail.com> <D343F764.77D5%christer.holmberg@ericsson.com> <CAD5OKxtMVNTSnyACRmA6NUEtAam0Xc=-cRD_2BCQjfH6Kekhjw@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B37F7CD82@ESESSMB209.ericsson.se>
Date: Mon, 25 Apr 2016 15:18:30 -0400
X-Gmail-Original-Message-ID: <CAD5OKxuh0CQDA=jNt1nSQ03mQKuD3-V09KOT-rEgEakRBP1Ckw@mail.gmail.com>
Message-ID: <CAD5OKxuh0CQDA=jNt1nSQ03mQKuD3-V09KOT-rEgEakRBP1Ckw@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
Content-Type: multipart/alternative; boundary="f46d04287571c174880531540a48"
Archived-At: <http://mailarchive.ietf.org/arch/msg/mmusic/1uwt-Hf7FZowHr9gNzvLfPknzhg>
Cc: "mmusic@ietf.org" <mmusic@ietf.org>, Paul Kyzivat <pkyzivat@alum.mit.edu>
Subject: Re: [MMUSIC] 4572 update: forbid weak hashes?
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2016 19:18:34 -0000
On Mon, Apr 25, 2016 at 2:37 PM, Christer Holmberg < christer.holmberg@ericsson.com> wrote: > >There is no indication what fingerprint applies to what certificate in > SDP fingerprint attribute. >The rule should be if connection is > established a certificate which matches at least one hash >that you > consider secure, the connection should be accepted. If you would make it > more >complicated, this will likely break backwards interop or would > require changes to >fingerprint/DTLS/certificates. > > > > I don’t want to make things complicated – I want to agree on something, > update the draft based on that, and go WGLC :) > > > I agree with trying to keep things simple. This means agreeing to something that is secure enough (one match for anything you consider secure is enough) vs trying to create something that is more secure (one fingerprint for each offered fingerprint hash algorithm must match). Regards, _____________ Roman Shpount
- [MMUSIC] 4572 update: forbid weak hashes? Jonathan Lennox
- Re: [MMUSIC] 4572 update: forbid weak hashes? Christer Holmberg
- Re: [MMUSIC] 4572 update: forbid weak hashes? Jonathan Lennox
- Re: [MMUSIC] 4572 update: forbid weak hashes? Christer Holmberg
- Re: [MMUSIC] 4572 update: forbid weak hashes? Martin Thomson
- Re: [MMUSIC] 4572 update: forbid weak hashes? Christer Holmberg
- Re: [MMUSIC] 4572 update: forbid weak hashes? Roman Shpount
- Re: [MMUSIC] 4572 update: forbid weak hashes? Dale R. Worley
- Re: [MMUSIC] 4572 update: forbid weak hashes? Paul Kyzivat
- Re: [MMUSIC] 4572 update: forbid weak hashes? Roman Shpount
- Re: [MMUSIC] 4572 update: forbid weak hashes? Paul Kyzivat
- Re: [MMUSIC] 4572 update: forbid weak hashes? Roman Shpount
- Re: [MMUSIC] 4572 update: forbid weak hashes? Martin Thomson
- Re: [MMUSIC] 4572 update: forbid weak hashes? Roman Shpount
- Re: [MMUSIC] 4572 update: forbid weak hashes? Martin Thomson
- Re: [MMUSIC] 4572 update: forbid weak hashes? Roman Shpount
- Re: [MMUSIC] 4572 update: forbid weak hashes? Martin Thomson
- Re: [MMUSIC] 4572 update: forbid weak hashes? Roman Shpount
- Re: [MMUSIC] 4572 update: forbid weak hashes? Cullen Jennings
- Re: [MMUSIC] 4572 update: forbid weak hashes? Paul Kyzivat
- Re: [MMUSIC] 4572 update: forbid weak hashes? Roman Shpount
- Re: [MMUSIC] 4572 update: forbid weak hashes? Paul Kyzivat
- Re: [MMUSIC] 4572 update: forbid weak hashes? Christer Holmberg
- Re: [MMUSIC] 4572 update: forbid weak hashes? Roman Shpount
- Re: [MMUSIC] 4572 update: forbid weak hashes? Christer Holmberg
- Re: [MMUSIC] 4572 update: forbid weak hashes? Roman Shpount
- Re: [MMUSIC] 4572 update: forbid weak hashes? Christer Holmberg
- Re: [MMUSIC] 4572 update: forbid weak hashes? Paul Kyzivat
- Re: [MMUSIC] 4572 update: forbid weak hashes? Roman Shpount