Re: [OPSEC] minutes part 2
"Vishwas Manral" <vishwas.ietf@gmail.com> Tue, 23 December 2008 18:07 UTC
Return-Path: <opsec-bounces@ietf.org>
X-Original-To: opsec-archive@optimus.ietf.org
Delivered-To: ietfarch-opsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 727CD3A6B2B; Tue, 23 Dec 2008 10:07:10 -0800 (PST)
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 45E753A6B2A for <opsec@core3.amsl.com>; Tue, 23 Dec 2008 10:07:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1YBxF0Y6BYjB for <opsec@core3.amsl.com>; Tue, 23 Dec 2008 10:07:05 -0800 (PST)
Received: from mail-bw0-f21.google.com (mail-bw0-f21.google.com [209.85.218.21]) by core3.amsl.com (Postfix) with ESMTP id 9D3863A6452 for <opsec@ietf.org>; Tue, 23 Dec 2008 10:07:04 -0800 (PST)
Received: by bwz14 with SMTP id 14so10282266bwz.13 for <opsec@ietf.org>; Tue, 23 Dec 2008 10:06:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=Ml53pTEDJS2iwKXq59V0cfPJOrkovGTOfbq235Kv22I=; b=nMWaVZ2L/d9QotkBJpQ7HSs9lWoryDphfpL/3YcS3gUcHMgkDRsQDvRZLQlboJ7rxh WYQzaXUgO2vqbN18mD6kbcqVn4TB833Llwl5FNRaN3ncRDU/CoM4u5blGq3QS5F9524G mosB+LrlZT9mx3VN6nRFjK8OI7TUk8u7i+rH8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=pWg2RCloMtfEAQUsv36u+BAawNgyJIGWUFh4zSd9PP7rH4EwytY1Yf+vZvpMPYvcMv 3WDIktaxrThVucdewIbsPApmmNvFby/WNlvLMwozwoSjRbBUO7vvaMqnF1twxi12AOKm R4HBFG45uZ1GDVs09J7IAEMZY4cKLa+9gDJsc=
Received: by 10.181.50.1 with SMTP id c1mr2823885bkk.3.1230055614218; Tue, 23 Dec 2008 10:06:54 -0800 (PST)
Received: by 10.180.209.3 with HTTP; Tue, 23 Dec 2008 10:06:54 -0800 (PST)
Message-ID: <77ead0ec0812231006u55443dacn1731f51a8e922b62@mail.gmail.com>
Date: Tue, 23 Dec 2008 10:06:54 -0800
From: Vishwas Manral <vishwas.ietf@gmail.com>
To: R Atkinson <ran.atkinson@gmail.com>
In-Reply-To: <1D5F3F5F-4357-4E25-BEDE-35300949EDB8@gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
References: <EC3F7E1D-F7C8-484A-A0C0-1A25E79AD86E@extremenetworks.com> <77ead0ec0812160927j77bf42c6mbccef8ccf55d1e16@mail.gmail.com> <90F75653-21D6-4D2B-9472-52F2BDF7510D@gmail.com> <77ead0ec0812161118l3ca37732m541deb4c716a8f42@mail.gmail.com> <0C823E84-78EE-4234-9AD8-20688B0F8F55@gmail.com> <77ead0ec0812161616r5cc782c5j69415f75d4aa82bb@mail.gmail.com> <7EBC9C5C-EDF9-4CDD-8E1B-B9D05656ACAA@gmail.com> <494D48B6.9090302@bogus.com> <77ead0ec0812222113m28f91093ke6512a5d7a287b0c@mail.gmail.com> <1D5F3F5F-4357-4E25-BEDE-35300949EDB8@gmail.com>
Cc: opsec@ietf.org
Subject: Re: [OPSEC] minutes part 2
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: opsec-bounces@ietf.org
Errors-To: opsec-bounces@ietf.org
Hi Ran, > Of course, NIST's approved algorithms list only contains > NIST algorithms This ought not be surprising. > > Of course, non-NIST algorithms aren't on NIST's lists. > That is a tautology. > > There is no news here. I am not trying to disseminate news here. The aim was to show that the link which has been updated 2 months back states the uses of SHA-2, etc is safe for hashing purposes. I wanted to know if you thought that information was not correct. Thanks, Vishwas > It is all entirely consistent with my prior statements. There > are some organisations that *for policy reasons* prefer to use > certain algorithms or algorithm families. > > A choice made to comply with (local or national) organisational > policy is quite different from a claim that scientific > evidence exists that one algorithm is better than some > other algorithm (when evaluated in the context of a > particular cryptographic mode -- comparing apples to apples). > > As the IETF is an international, global organisation, > the IETF has so far declined to use *local or national > policy* as the basis to endorse or reject any particular > algorithm. This seems only proper as the IETF ought not > prefer US policy over another country's policy in its > decision making. This principle of using global scope for > the IETF standards processes lies behind [RFC-1984]. > > Given the relatively recent information indicating "serious > attacks" on SHA (the quote is from NIST [1]), including an > acknowledged attack on SHA-1 [2], previous beliefs that SHA > might be stronger are no longer supported by the science at hand. > MD5 is also subject to "serious attacks" that have been published. > So the data available says that both SHA and MD5 have cause > for serious concern. > > Now, maybe someone has recently published some scientific, > peer-reviewed, paper that compares MD5 and SHA (in the mode > used by the IGPs for authentication). If such exists, a pointer > to that paper would be helpful to everyone in the OPsec WG. > Absent such a paper, the only *scientific* conclusion is that > (1) there is cause for concern about both SHA and MD5 and > (2) there is not enough data at the present time to prefer > either of those algorithms over the other algorithm. > > A practical step might be for some folks (not including me !) > to add some additional MAC algorithms to the set available > for IGP authentication, to provide more choices to implementers. > Apparently specifications for an AES-CBC MAC and a "Counter > with CBC-MAC" have been created in recent years. [RFC-3566] > [RFC-3610] (NOTE WELL: I haven't done a literature search > on either of those, so I'm not recommending either one; instead, > I am only noting that the universe is not limited to SHA or MD5, > and providing some examples of other options by way of an > existence proof.) > > Cheers, > > Ran > rja@extremenetworks.com > > PS: The set of "First Round Candidates" to replace > the existing SHA standards are listed at reference [3] below. > > [1]<http://csrc.nist.gov/groups/ST/hash/index.html> > [2]<http://csrc.nist.gov/groups/ST/toolkit/documents/shs/NISTHashComments-final.pdf> > [3]<http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/submissions_rnd1.html> > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec > _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec
- [OPSEC] minutes part 2 Joel Jaeggli
- Re: [OPSEC] minutes part 2 RJ Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- [OPSEC] Prospective issue with IPsec ESP-NULL & I… R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… Vishwas Manral
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… Vishwas Manral
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… R Atkinson
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Bhatia, Manav (Manav)
- Re: [OPSEC] minutes part 2 Bhatia, Manav (Manav)
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… Darrel Lewis (darlewis)
- Re: [OPSEC] minutes part 2 Darrel Lewis (darlewis)
- Re: [OPSEC] minutes part 2 Bhatia, Manav (Manav)
- Re: [OPSEC] minutes part 2 Bhatia, Manav (Manav)
- Re: [OPSEC] minutes part 2 Joel Jaeggli
- Re: [OPSEC] minutes part 2 RJ Atkinson
- Re: [OPSEC] minutes part 2 RJ Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Joel Jaeggli
- Re: [OPSEC] minutes part 2 Joel Jaeggli
- Re: [OPSEC] minutes part 2 RJ Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Joel Jaeggli
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- [OPSEC] FW: minutes part 2 Michael Barnes
- Re: [OPSEC] FW: minutes part 2 Smith, Donald
- Re: [OPSEC] FW: minutes part 2 Michael Barnes
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson