IETF Logo Mail Archive

[MMUSIC] 4572 update: forbid weak hashes?

Jonathan Lennox <jonathan@vidyo.com> Thu, 07 April 2016 12:31 UTC

Return-Path: <prvs=890589b9c5=jonathan@vidyo.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAE0A12D892 for <mmusic@ietfa.amsl.com>; Thu, 7 Apr 2016 05:31:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CbwAO9lrfDk6 for <mmusic@ietfa.amsl.com>; Thu, 7 Apr 2016 05:31:42 -0700 (PDT)
Received: from mx0a-00198e01.pphosted.com (mx0a-00198e01.pphosted.com [67.231.149.202]) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D801B12D88D for <mmusic@ietf.org>; Thu, 7 Apr 2016 05:31:42 -0700 (PDT)
Received: from pps.filterd (m0073109.ppops.net [127.0.0.1]) by mx0a-00198e01.pphosted.com (8.15.0.59/8.15.0.59) with SMTP id u37CUW26031635 for <mmusic@ietf.org>; Thu, 7 Apr 2016 08:31:42 -0400
Received: from mail.vidyo.com ([162.209.16.214]) by mx0a-00198e01.pphosted.com with ESMTP id 2201q0mvck-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT) for <mmusic@ietf.org>; Thu, 07 Apr 2016 08:31:42 -0400
Received: from 492132-EXCH1.vidyo.com ([fe80::50:56ff:fe85:4f77]) by 492133-EXCH2.vidyo.com ([fe80::50:56ff:fe85:6b62%13]) with mapi id 14.03.0195.001; Thu, 7 Apr 2016 07:31:41 -0500
From: Jonathan Lennox <jonathan@vidyo.com>
To: mmusic <mmusic@ietf.org>
Thread-Topic: 4572 update: forbid weak hashes?
Thread-Index: AQHRkMlvyALEPXgXDkKRhXLaT8/AmA==
Date: Thu, 07 Apr 2016 12:31:41 +0000
Message-ID: <4D60EE45-BECA-4A46-98EF-FF4AA482B42E@vidyo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [31.133.137.240]
Content-Type: text/plain; charset="utf-8"
Content-ID: <7077716344F1C142B8E489690EADB8B5@vidyo.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.15.96, 1.0.3, 0.0.0000 definitions=2016-04-07_08:2016-04-07,2016-04-07,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1601100000 definitions=main-1604070181
Archived-At: <http://mailarchive.ietf.org/arch/msg/mmusic/g5eU_HmrRVkxr6z3CQMtSedWhvE>
Subject: [MMUSIC] 4572 update: forbid weak hashes?
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2016 12:31:49 -0000

Hi, all —

For the RFC 4572 update, I think we should add that receivers MUST NOT match on fingerprints computed with weak hashes, and senders SHOULD NOT send them.

If we do this, it removes some of the questions about “do you need to verify a fingerprint for every hash algorithm, or only one.”

Weak hashes definitely include MD2 and MD5.  I guess we still want SHA-1 to be supported, though?

v2.23.0 | Report a Bug | By Email