Re: [MMUSIC] draft-4572-update: Spec contains references to a number of obsoleted RFCs

Cullen Jennings <fluffy@iii.ca> Tue, 03 January 2017 17:34 UTC

Return-Path: <fluffy@iii.ca>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41A241295DE for <mmusic@ietfa.amsl.com>; Tue, 3 Jan 2017 09:34:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c5EsSc0k7VH5 for <mmusic@ietfa.amsl.com>; Tue, 3 Jan 2017 09:34:40 -0800 (PST)
Received: from smtp74.iad3a.emailsrvr.com (smtp74.iad3a.emailsrvr.com [173.203.187.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F187129A74 for <mmusic@ietf.org>; Tue, 3 Jan 2017 09:34:40 -0800 (PST)
Received: from smtp2.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp2.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 7DA365B9B; Tue, 3 Jan 2017 12:34:37 -0500 (EST)
X-Auth-ID: fluffy@iii.ca
Received: by smtp2.relay.iad3a.emailsrvr.com (Authenticated sender: fluffy-AT-iii.ca) with ESMTPSA id E75C85B9F; Tue, 3 Jan 2017 12:34:36 -0500 (EST)
X-Sender-Id: fluffy@iii.ca
Received: from [10.1.3.253] (d75-159-45-76.abhsia.telus.net [75.159.45.76]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:587 (trex/5.7.12); Tue, 03 Jan 2017 12:34:37 -0500
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.0 \(3226\))
From: Cullen Jennings <fluffy@iii.ca>
In-Reply-To: <CABcZeBNGm27Hf4mrGosjpAMOYSc2_O-4q72-HNpC5g0D_mhKzQ@mail.gmail.com>
Date: Tue, 03 Jan 2017 10:34:35 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <7A58D0A4-CC5C-4740-B93A-B5D602FBDD9B@iii.ca>
References: <7594FB04B1934943A5C02806D1A2204B4BF50A9B@ESESSMB209.ericsson.se> <7594FB04B1934943A5C02806D1A2204B4BF50DF5@ESESSMB209.ericsson.se> <CABkgnnWLw7QPLd6qtgN1C-Pg+UHim6s=QK0EFgkYViQy8Ad2oQ@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B4BF53260@ESESSMB209.ericsson.se> <CABcZeBNGm27Hf4mrGosjpAMOYSc2_O-4q72-HNpC5g0D_mhKzQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: Apple Mail (2.3226)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/wIr0kTtGvSIQ8GZzxOM9LqEV5kk>
Cc: Jonathan Lennox <jonathan@vidyo.com>, "mmusic@ietf.org" <mmusic@ietf.org>, Christer Holmberg <christer.holmberg@ericsson.com>
Subject: Re: [MMUSIC] draft-4572-update: Spec contains references to a number of obsoleted RFCs
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2017 17:34:42 -0000

Trivial nit but ...

Actually I don't think you want MD5 treated as a unknown hash, you want treated as a known but don't use. If A offers old and bad crypto to B, we have B log that such that we can track down and upgrade A. If we got a a new unknown cipher call SSHHAA we would not log that as bad crypto because we would assume it was new and good. 


> On Jan 2, 2017, at 11:03 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> On Mon, Jan 2, 2017 at 2:41 AM, Christer Holmberg <christer.holmberg@ericsson.com> wrote:
> Hi,
> 
> >We can remove MD2.  MD5 is dead, SHA-1 is in its death throes, but MD2 is merely a >(bad) memory.
> 
> So, my suggestion is to remove all references to MD2 (including the ABNF) for now, and we'll then see what the security folks say about MD5 and SHA-1.
> 
> Given the threat model here, I think we want to tell people to ignore MD* (i.e., treat it as an unknown hash) and to accept SHA-1 (though perhaps only temporarily). Accordingly, I propose removing MD2 and MD5 from this grammar, but leave SHA-1.
> 
> -Ekr
> 
> 
> Regards,
> 
> Christer
> 
> 
> On 30 December 2016 at 22:27, Christer Holmberg <christer.holmberg@ericsson.com> wrote:
> > Hi,
> >
> >
> >
> > Please note the following:
> >
> >
> >
> > RFC 6149, which obsoletes RFC 1319, makes MD2 historic. Do people have
> > a problem with that? I assume we’ll end up in trouble with the
> > security folks if we keep the old RFC…
> >
> >
> >
> > And, considering MD2 is historic, do we even need to mention it in
> > draft-4572-update anymore?
> >
> >
> >
> > Regards,
> >
> >
> >
> > Christer
> >
> >
> >
> >
> >
> > From: mmusic [mailto:mmusic-bounces@ietf.org] On Behalf Of Christer
> > Holmberg
> > Sent: 30 December 2016 11:42
> > To: mmusic@ietf.org
> > Cc: Jonathan Lennox (jonathan@vidyo.com) <jonathan@vidyo.com>; Cullen
> > Jennings (fluffy@iii.ca) <fluffy@iii.ca>
> > Subject: [MMUSIC] draft-4572-update: Spec contains references to a
> > number of obsoleted RFCs
> >
> >
> >
> > Hi,
> >
> >
> >
> > The idnits check returns the following for draft-4572-update.
> >
> >
> >
> > ** Obsolete normative reference: RFC 1319 (ref. '3') (Obsoleted by RFC
> > 6149)
> >
> >
> >
> >   ** Downref: Normative reference to an Informational RFC: RFC 1321 (ref.
> > '4')
> >
> >
> >
> >   ** Obsolete normative reference: RFC 3280 (ref. '8') (Obsoleted by
> > RFC
> > 5280)
> >
> >
> >
> >   ** Obsolete normative reference: RFC 4234 (ref. '11') (Obsoleted by
> > RFC
> >
> >      5234)
> >
> >
> >
> >   ** Obsolete normative reference: RFC 4288 (ref. '12') (Obsoleted by
> > RFC
> >
> >      6838)
> >
> >
> >
> >   ** Obsolete normative reference: RFC 4346 (ref. '13') (Obsoleted by
> > RFC
> >
> >      5246)
> >
> >
> >
> >   -- Obsolete informational reference (is this intentional?): RFC 2617 (ref.
> >
> >      '15') (Obsoleted by RFC 7235, RFC 7615, RFC 7616, RFC 7617)
> >
> >
> >
> >   -- Obsolete informational reference (is this intentional?): RFC 3525 (ref.
> >
> >      '20') (Obsoleted by RFC 5125)
> >
> >
> >
> >   -- Obsolete informational reference (is this intentional?): RFC 3851 (ref.
> >
> >      '22') (Obsoleted by RFC 5751)
> >
> >
> >
> > The reason for this is that we used RFC 4572 as base, and did not
> > change/update the references.
> >
> >
> >
> > I had a look, and I don’t think there should be any issues in
> > replacing the current RFCs with the new ones. But, please indicate if you see any issues.
> >
> >
> >
> > Regards,
> >
> >
> >
> > Christer
> _______________________________________________
> mmusic mailing list
> mmusic@ietf.org
> https://www.ietf.org/mailman/listinfo/mmusic
>