IETF Logo Mail Archive

Re: [MMUSIC] 4572 update: forbid weak hashes?

Martin Thomson <martin.thomson@gmail.com> Thu, 07 April 2016 14:06 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 183BD12D1A4 for <mmusic@ietfa.amsl.com>; Thu, 7 Apr 2016 07:06:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1K2eHB_lonJB for <mmusic@ietfa.amsl.com>; Thu, 7 Apr 2016 07:06:09 -0700 (PDT)
Received: from mail-io0-x230.google.com (mail-io0-x230.google.com [IPv6:2607:f8b0:4001:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8DE612D104 for <mmusic@ietf.org>; Thu, 7 Apr 2016 07:06:08 -0700 (PDT)
Received: by mail-io0-x230.google.com with SMTP id o126so72655068iod.0 for <mmusic@ietf.org>; Thu, 07 Apr 2016 07:06:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-transfer-encoding; bh=lqgEub5s5Zr24XWEb7gb3Rj9h36JjfWJ+9nGQLzaLfA=; b=M9BmDx1AZAJlz5upO64Ei2uL+CoXF5QkreacYalc6hmbkUDpgqlFv5jFd9nALMikwv Oz8Su2g8DvchH25Fnn15WYGH2z6mIJjrHtulydsOwCUXUJeAw5uS+Mdi2Ckrc5+ph0qA BNXkudlCSM79268Na6iW3lRHUsOz1Xop7DWmQyIQo9x0M8+Yr3p9O4RtcBbQqX7y1nc7 V7voSEm9XRcJywhQDdQXoq/vk8CkXgR/6B/TGpdTZ9C9nCe4J9Ogcq3wQtn2qOOw9kmk 6L/ldf9Xe3GklkuHkBKJAo0ve08aP3z+KwL29bXQjVpCWs9huvDM8gQZRaPYtLuWAil8 G4ww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-transfer-encoding; bh=lqgEub5s5Zr24XWEb7gb3Rj9h36JjfWJ+9nGQLzaLfA=; b=YTECS+qd1go25YHvgr5+pPZusr53vYl2LkZjjUwppwTMWLqFRsVxfekyLyj6qaQ3lW yqsoWrpYZaaU+B6Zmr/eFJIRYy9BtCPCSTa0mjr3uAfrD7w/qSx4KE2favSClaNftcil 3Dw10wdo5VHOoVXo2ORZIvr0i5+WINaMkC1pFRpPGzf3Pd5shSJm1+uv9LrbTN/HTEib 7ngDbnDrCP4ECCbbgu3/+d8I+PheaL/yr8KN+hd55GYYwlePNnqfm3bv/CL8WxHkfyY3 GRExIjD769FqrJ+pwgoHbEMm6MPGfRkNB2m6FQq4n7F8QZEAEbFXWVu50uzMyfb2fMxI O2jw==
X-Gm-Message-State: AD7BkJK33m7AmXoxXT0dcyYEQksHZJUxsBm7o2Ul9YU+SAlL4mWLFCVKYxJ5U7jZ1FWfbzJCCqe9qaA9UkMT2g==
MIME-Version: 1.0
X-Received: by 10.107.161.140 with SMTP id k134mr3889439ioe.190.1460037968100; Thu, 07 Apr 2016 07:06:08 -0700 (PDT)
Received: by 10.36.43.5 with HTTP; Thu, 7 Apr 2016 07:06:08 -0700 (PDT)
In-Reply-To: <7594FB04B1934943A5C02806D1A2204B37F27B70@ESESSMB209.ericsson.se>
References: <4D60EE45-BECA-4A46-98EF-FF4AA482B42E@vidyo.com> <7594FB04B1934943A5C02806D1A2204B37F27B70@ESESSMB209.ericsson.se>
Date: Thu, 07 Apr 2016 11:06:08 -0300
Message-ID: <CABkgnnU0qwkUGLv4rkax3hbat9Fb6kXDH9TKZv3MukepN7PkmQ@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/mmusic/95k7e2S8sJ9L73WUfLlVFCH1jp8>
Cc: Jonathan Lennox <jonathan@vidyo.com>, mmusic <mmusic@ietf.org>
Subject: Re: [MMUSIC] 4572 update: forbid weak hashes?
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2016 14:06:15 -0000

On 7 April 2016 at 10:35, Christer Holmberg
<christer.holmberg@ericsson.com> wrote:
>>If we do this, it removes some of the questions about “do you need to verify a fingerprint for every >hash algorithm, or only one.”
>
> What about saying that one MUST match on the strongest hash received?

Maybe three pieces of advice are right.

1. Implement the strongest hash you can
2. Check all the hashes you can
3. Don't accept a session if you can only check weak hashes

v2.23.0 | Report a Bug | By Email