IETF Logo Mail Archive

Re: [OPSEC] minutes part 2

R Atkinson <ran.atkinson@gmail.com> Wed, 17 December 2008 00:53 UTC

Return-Path: <opsec-bounces@ietf.org>
X-Original-To: opsec-archive@optimus.ietf.org
Delivered-To: ietfarch-opsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 559433A6999; Tue, 16 Dec 2008 16:53:36 -0800 (PST)
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 228BD3A6999 for <opsec@core3.amsl.com>; Tue, 16 Dec 2008 16:53:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id USJBhledb7mT for <opsec@core3.amsl.com>; Tue, 16 Dec 2008 16:53:34 -0800 (PST)
Received: from mail-qy0-f11.google.com (mail-qy0-f11.google.com [209.85.221.11]) by core3.amsl.com (Postfix) with ESMTP id 0ED333A6870 for <opsec@ietf.org>; Tue, 16 Dec 2008 16:53:33 -0800 (PST)
Received: by qyk4 with SMTP id 4so3488417qyk.13 for <opsec@ietf.org>; Tue, 16 Dec 2008 16:53:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:cc:message-id:from:to :in-reply-to:content-type:content-transfer-encoding:mime-version :subject:date:references:x-mailer; bh=bjvDJpKMzw5EGndhZvbZ8YUrpZVz6tGOD5Q8NOPwfT0=; b=oZeB9l7vimGsNUJ96fdWRz2GoSR9p43x07MjJJ/6BgVb0qhVvwxusVGzSJG81zvc3f 8MiA9+prveEvWulSR8Qjv2hRWI8Sad84V1SWG30j0xDcP0U4b4eBustSnjHgP3h5j+kK cAIBUQPz+kfpV3BnA3ap2fH5CMCs46uCP7C/k=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=cc:message-id:from:to:in-reply-to:content-type :content-transfer-encoding:mime-version:subject:date:references :x-mailer; b=QisbV37Trhu6sAw2rl4UWPIAA69zsW+nae5O19RJTaIUN9k+QnK+mc+hTqecPqnSoG 6N9qk+KOY6m2fswaJhokNJfHhI1Q49knblcGB67h9nrO7NmdLD63J6l68lHCIsDDkmOy wka0aGk6UFEl5i6URWHWzMmUFr1iJbNzlJUJo=
Received: by 10.214.183.17 with SMTP id g17mr85739qaf.265.1229475205846; Tue, 16 Dec 2008 16:53:25 -0800 (PST)
Received: from ?10.10.1.61? (67.111.52.130.ptr.us.xo.net [67.111.52.130]) by mx.google.com with ESMTPS id 9sm1896017yws.28.2008.12.16.16.53.24 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 16 Dec 2008 16:53:25 -0800 (PST)
Message-Id: <12201E12-8A0B-4FBE-95A9-5C8B23DA46EC@gmail.com>
From: R Atkinson <ran.atkinson@gmail.com>
To: Glen Kent <glen.kent@gmail.com>
In-Reply-To: <92c950310812161620j7d8aaa16m553940edadbe6d8f@mail.gmail.com>
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Tue, 16 Dec 2008 19:53:23 -0500
References: <EC3F7E1D-F7C8-484A-A0C0-1A25E79AD86E@extremenetworks.com> <92c950310812161620j7d8aaa16m553940edadbe6d8f@mail.gmail.com>
X-Mailer: Apple Mail (2.930.3)
Cc: opsec@ietf.org
Subject: Re: [OPSEC] minutes part 2
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: opsec-bounces@ietf.org
Errors-To: opsec-bounces@ietf.org

On  16 Dec 2008, at 19:20, Glen Kent wrote:
> I don't understand your concern.

I have no concern with the WG documenting any issues, provided:
- they really are technical issues rather than opinion,
- the analysis really is comprehensive, including a threat model,
- the analysis also discusses existing mitigations,
and
- the analysis covers all such authentication mechanism,
   including for example RFC-2154, not just some of them.

(For an individual submission rather than a WG document, of course,
none of the above caveats would apply, as individuals can say
whatever they wish, true or not, in a personal informational RFC. :-)

As my notes have tried (and perhaps failed, sigh) to make
clear, the focus of my concerns are:

1) An apparent proposal, according to the WG minutes, to have
    the OPsec WG recommend that users migrate to using SHA-based
    mechanisms.  There are not solid technical grounds to
    recommend/prefer SHA approaches over MD5 approaches
    (or the reverse: it isn't obvious that MD5 is better either).

2) Erroneous claims in the meeting minutes that SHA-based approaches
    are better than the existing MD5-based mechanisms.  The approaches
    are very slightly different, but as the URLs I provided much earlier
    today make clear, SHA has issues in the published literature just
    as MD5 does, AND NIST is actively moving to deprecate SHA/SHA-1/ 
SHA-2.

Yours,

Ran
rja@extremenetworks.com

_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/opsec

v2.23.0 | Report a Bug | By Email