IETF Logo Mail Archive

Re: [MMUSIC] draft-4572-update: Spec contains references to a number of obsoleted RFCs

Roman Shpount <roman@telurix.com> Tue, 03 January 2017 17:44 UTC

Return-Path: <roman@telurix.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF985129A7A for <mmusic@ietfa.amsl.com>; Tue, 3 Jan 2017 09:44:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telurix-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uo8wzuF3N_bt for <mmusic@ietfa.amsl.com>; Tue, 3 Jan 2017 09:44:34 -0800 (PST)
Received: from mail-qt0-x234.google.com (mail-qt0-x234.google.com [IPv6:2607:f8b0:400d:c0d::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D891129A76 for <mmusic@ietf.org>; Tue, 3 Jan 2017 09:44:34 -0800 (PST)
Received: by mail-qt0-x234.google.com with SMTP id c47so469066727qtc.2 for <mmusic@ietf.org>; Tue, 03 Jan 2017 09:44:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telurix-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=bsLLFiH+en9vQaWGWjIR5AUHERnBgQE/P9QDL8KGGLk=; b=nZZ7PhDtRAtrzn0lMccW9ewFdDsgx3E7k+trvrLTVpVnNrO5lRkHWoS0TF1cOCv0SU TyAG27A91PauZXrctRYzse80Akq68E46XCL+TB3Qnxl5Qn4HpV1NpTMkIiw6+KzcpOdI PXwh2PeaEycpibuHrmf/MHHGaS90f+eUy8MO1qrWJs2emqPu5Xv2NVk7WQ9KEnCc+X/M xdNSosL6IGD+4J+u+uorL7rqH2XeIFjVHLpdPaMajUMn4JOYdL2WCusfO2tLoqXEIhgi SD2ex1l6HMkIeKII/M4IKI+7Sc1au5BdL/AvHOpEQyrEqYMICGytBJepmnrU6l7pOVRD QCwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=bsLLFiH+en9vQaWGWjIR5AUHERnBgQE/P9QDL8KGGLk=; b=DJxElzHXuP6g7lahYPBjFgLrY5MXempVn35712+3QqwSZUJXqJva/Dk2uf/z17CP4V opGM9qisxNwz8/mf60oRIVBE40jO+woH35BmXHOYTRaJLoQaE+DV7dBOqYKIU+NmNYUK AoFsqr6mcKWPNjUjF/AmRmJx/m7Ux7223CXegEOM4iHv2nfZ3t+s6teeLZrrihrGRkwI M0d5UxUw8A1P2Fy10oCm402DnpUpZb5UZxQnuosZpZbAvHY7Iwns8fjV3qUYGET/9hob /1BVtx+oRawaW5NU9fEb4atr6zmPXfIwt0fit4azlwjdH3q/7YOFFkTO59tensuxZbgD nouw==
X-Gm-Message-State: AIkVDXIRe4l7cuO9BXHqD7lFqWTrSn0QLfgavKduGn4JoRMYr6ZAwl4hLoquCkFwCYuX0A==
X-Received: by 10.200.37.101 with SMTP id 34mr57384139qtn.273.1483465473609; Tue, 03 Jan 2017 09:44:33 -0800 (PST)
Received: from mail-qk0-f178.google.com (mail-qk0-f178.google.com. [209.85.220.178]) by smtp.gmail.com with ESMTPSA id k26sm28829938qtc.36.2017.01.03.09.44.32 for <mmusic@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 03 Jan 2017 09:44:33 -0800 (PST)
Received: by mail-qk0-f178.google.com with SMTP id h201so242768013qke.1 for <mmusic@ietf.org>; Tue, 03 Jan 2017 09:44:32 -0800 (PST)
X-Received: by 10.55.80.198 with SMTP id e189mr60814187qkb.222.1483465472781; Tue, 03 Jan 2017 09:44:32 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.136.230 with HTTP; Tue, 3 Jan 2017 09:44:32 -0800 (PST)
In-Reply-To: <7A58D0A4-CC5C-4740-B93A-B5D602FBDD9B@iii.ca>
References: <7594FB04B1934943A5C02806D1A2204B4BF50A9B@ESESSMB209.ericsson.se> <7594FB04B1934943A5C02806D1A2204B4BF50DF5@ESESSMB209.ericsson.se> <CABkgnnWLw7QPLd6qtgN1C-Pg+UHim6s=QK0EFgkYViQy8Ad2oQ@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B4BF53260@ESESSMB209.ericsson.se> <CABcZeBNGm27Hf4mrGosjpAMOYSc2_O-4q72-HNpC5g0D_mhKzQ@mail.gmail.com> <7A58D0A4-CC5C-4740-B93A-B5D602FBDD9B@iii.ca>
From: Roman Shpount <roman@telurix.com>
Date: Tue, 03 Jan 2017 12:44:32 -0500
X-Gmail-Original-Message-ID: <CAD5OKxsmX2asHr0hQjjchbpT=4x6is8ohvtPU+JSCR01ZZkeGg@mail.gmail.com>
Message-ID: <CAD5OKxsmX2asHr0hQjjchbpT=4x6is8ohvtPU+JSCR01ZZkeGg@mail.gmail.com>
To: Cullen Jennings <fluffy@iii.ca>
Content-Type: multipart/alternative; boundary="001a114a6f028aca4505453438fa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/bdhDD9G-x1zyn1H1cy0V-oa7EUs>
Cc: Jonathan Lennox <jonathan@vidyo.com>, "mmusic@ietf.org" <mmusic@ietf.org>, Christer Holmberg <christer.holmberg@ericsson.com>
Subject: Re: [MMUSIC] draft-4572-update: Spec contains references to a number of obsoleted RFCs
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2017 17:44:37 -0000

I agree, I think MD2 and MD5 should be defined in the grammar but
specification should state that they MUST NOT be used. This way there are
no potential backwards interop problems.

Regards,

_____________
Roman Shpount

On Tue, Jan 3, 2017 at 12:34 PM, Cullen Jennings <fluffy@iii.ca> wrote:

>
> Trivial nit but ...
>
> Actually I don't think you want MD5 treated as a unknown hash, you want
> treated as a known but don't use. If A offers old and bad crypto to B, we
> have B log that such that we can track down and upgrade A. If we got a a
> new unknown cipher call SSHHAA we would not log that as bad crypto because
> we would assume it was new and good.
>
>
> > On Jan 2, 2017, at 11:03 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> >
> > On Mon, Jan 2, 2017 at 2:41 AM, Christer Holmberg <
> christer.holmberg@ericsson.com> wrote:
> > Hi,
> >
> > >We can remove MD2.  MD5 is dead, SHA-1 is in its death throes, but MD2
> is merely a >(bad) memory.
> >
> > So, my suggestion is to remove all references to MD2 (including the
> ABNF) for now, and we'll then see what the security folks say about MD5 and
> SHA-1.
> >
> > Given the threat model here, I think we want to tell people to ignore
> MD* (i.e., treat it as an unknown hash) and to accept SHA-1 (though perhaps
> only temporarily). Accordingly, I propose removing MD2 and MD5 from this
> grammar, but leave SHA-1.
> >
> > -Ekr
> >
> >
> > Regards,
> >
> > Christer
> >
> >
> > On 30 December 2016 at 22:27, Christer Holmberg <
> christer.holmberg@ericsson.com> wrote:
> > > Hi,
> > >
> > >
> > >
> > > Please note the following:
> > >
> > >
> > >
> > > RFC 6149, which obsoletes RFC 1319, makes MD2 historic. Do people have
> > > a problem with that? I assume we’ll end up in trouble with the
> > > security folks if we keep the old RFC…
> > >
> > >
> > >
> > > And, considering MD2 is historic, do we even need to mention it in
> > > draft-4572-update anymore?
> > >
> > >
> > >
> > > Regards,
> > >
> > >
> > >
> > > Christer
> > >
> > >
> > >
> > >
> > >
> > > From: mmusic [mailto:mmusic-bounces@ietf.org] On Behalf Of Christer
> > > Holmberg
> > > Sent: 30 December 2016 11:42
> > > To: mmusic@ietf.org
> > > Cc: Jonathan Lennox (jonathan@vidyo.com) <jonathan@vidyo.com>; Cullen
> > > Jennings (fluffy@iii.ca) <fluffy@iii.ca>
> > > Subject: [MMUSIC] draft-4572-update: Spec contains references to a
> > > number of obsoleted RFCs
> > >
> > >
> > >
> > > Hi,
> > >
> > >
> > >
> > > The idnits check returns the following for draft-4572-update.
> > >
> > >
> > >
> > > ** Obsolete normative reference: RFC 1319 (ref. '3') (Obsoleted by RFC
> > > 6149)
> > >
> > >
> > >
> > >   ** Downref: Normative reference to an Informational RFC: RFC 1321
> (ref.
> > > '4')
> > >
> > >
> > >
> > >   ** Obsolete normative reference: RFC 3280 (ref. '8') (Obsoleted by
> > > RFC
> > > 5280)
> > >
> > >
> > >
> > >   ** Obsolete normative reference: RFC 4234 (ref. '11') (Obsoleted by
> > > RFC
> > >
> > >      5234)
> > >
> > >
> > >
> > >   ** Obsolete normative reference: RFC 4288 (ref. '12') (Obsoleted by
> > > RFC
> > >
> > >      6838)
> > >
> > >
> > >
> > >   ** Obsolete normative reference: RFC 4346 (ref. '13') (Obsoleted by
> > > RFC
> > >
> > >      5246)
> > >
> > >
> > >
> > >   -- Obsolete informational reference (is this intentional?): RFC 2617
> (ref.
> > >
> > >      '15') (Obsoleted by RFC 7235, RFC 7615, RFC 7616, RFC 7617)
> > >
> > >
> > >
> > >   -- Obsolete informational reference (is this intentional?): RFC 3525
> (ref.
> > >
> > >      '20') (Obsoleted by RFC 5125)
> > >
> > >
> > >
> > >   -- Obsolete informational reference (is this intentional?): RFC 3851
> (ref.
> > >
> > >      '22') (Obsoleted by RFC 5751)
> > >
> > >
> > >
> > > The reason for this is that we used RFC 4572 as base, and did not
> > > change/update the references.
> > >
> > >
> > >
> > > I had a look, and I don’t think there should be any issues in
> > > replacing the current RFCs with the new ones. But, please indicate if
> you see any issues.
> > >
> > >
> > >
> > > Regards,
> > >
> > >
> > >
> > > Christer
> > _______________________________________________
> > mmusic mailing list
> > mmusic@ietf.org
> > https://www.ietf.org/mailman/listinfo/mmusic
> >
>
> _______________________________________________
> mmusic mailing list
> mmusic@ietf.org
> https://www.ietf.org/mailman/listinfo/mmusic
>

v2.23.0 | Report a Bug | By Email