IETF Logo Mail Archive

Re: [OPSEC] draft-bhatia-manral-igp-crypto-requirements

Joel Jaeggli <joelja@bogus.com> Thu, 26 February 2009 05:55 UTC

Return-Path: <joelja@bogus.com>
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7BFB43A6B8A for <opsec@core3.amsl.com>; Wed, 25 Feb 2009 21:55:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id onzTCtsWijhp for <opsec@core3.amsl.com>; Wed, 25 Feb 2009 21:55:53 -0800 (PST)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) by core3.amsl.com (Postfix) with ESMTP id 59B5A3A6A7D for <opsec@ietf.org>; Wed, 25 Feb 2009 21:55:53 -0800 (PST)
Received: from [192.168.1.205] (c-98-234-53-212.hsd1.ca.comcast.net [98.234.53.212]) (authenticated bits=0) by nagasaki.bogus.com (8.14.3/8.14.3) with ESMTP id n1Q5uA0H063526 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 26 Feb 2009 05:56:11 GMT (envelope-from joelja@bogus.com)
Message-ID: <49A62EF6.9070704@bogus.com>
Date: Wed, 25 Feb 2009 21:56:06 -0800
From: Joel Jaeggli <joelja@bogus.com>
User-Agent: Thunderbird 2.0.0.19 (X11/20090105)
MIME-Version: 1.0
To: Vishwas Manral <vishwas.ietf@gmail.com>
References: <77ead0ec0902232009s260cee0dn4f81390ddf698e1c@mail.gmail.com> <92c950310902240904y31537b3cn1837b4a78ba4a40b@mail.gmail.com> <77ead0ec0902241019n3342915q7777c7475b5bda5a@mail.gmail.com> <49A5C3F0.7040909@bogus.com> <77ead0ec0902252018o532b6f73qe9358c349266a6fa@mail.gmail.com>
In-Reply-To: <77ead0ec0902252018o532b6f73qe9358c349266a6fa@mail.gmail.com>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV 0.94.2/9048/Wed Feb 25 21:08:29 2009 on nagasaki.bogus.com
X-Virus-Status: Clean
Cc: opsec wg mailing list <opsec@ietf.org>
Subject: Re: [OPSEC] draft-bhatia-manral-igp-crypto-requirements
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Feb 2009 05:55:54 -0000

Vishwas Manral wrote:
> Hi Joel,
> 
> Thanks for your comment on the document.
> 
>> We have the issue of vulnerable today vs problematic today, or
>> tomorrow... I feel very comfortable saying there are some places where
>> md5 is used today that I'd really prefer to not be using it in 5 years.
> If I understood you right, you are saying stating the fact that its
> used now though we would prefer it was not used. That was the exact
> idea of MUST-, SHOULD+ etc we had used in the document earlier.

I side with Sandra Murphy on the value of that particular language. If
my concern is that I should not be running something in the future I
want to simply state that. we take that concern expressed in an
informational document back to implementation.

> It gives an idea of direction of where the support of a particular
> algorithm is heading towards. However based on the comments in the
> list we modified the document to use standard IETF terminology.

Which I concur with.

joel

> Thanks,
> Vishwas
> 
>>> Thanks for your support of the document.
>>>
>>> There was no ambiguity as such, however Ran wanted us to look further
>>> into whether the recently announced vulnerabilities to SHA-1 and MD5
>>> would effect the reccomendation for HMAC-SHA-1.
>> We have the issue of vulnerable today vs problematic today, or
>> tomorrow... I feel very comfortable saying there are some places where
>> md5 is used today that I'd really prefer to not be using it in 5 years.
>>
>> That's good advice to have especially on the operational side.
>>
>> stating that is being proactice.
>>
>> joelja
>>
>>> Thanks,
>>> Vishwas
>>>
>>> On Tue, Feb 24, 2009 at 9:04 AM, Glen Kent <glen.kent@gmail.com> wrote:
>>>> So was there any ambiguity in recommending HMAC-SHA1 over other
>>>> available options ever?
>>>>
>>>> I re-read the document, found it extremely simple, the recommendations
>>>> look right, found it just to be what OPSEC must own up.
>>>>
>>>> Glen
>>>>
>>>> On Tue, Feb 24, 2009 at 9:39 AM, Vishwas Manral <vishwas.ietf@gmail.com> wrote:
>>>>> Hi folks,
>>>>>
>>>>> We now have got some clear guidance regarding this document from the
>>>>> Security AD's regarding the cryptographic algorithms (Joel has been
>>>>> privy to those mails). The guidance seems to second what Hugo and
>>>>> other cryptographers have been stating all along. The crux of what has
>>>>> been said is:
>>>>>
>>>>> MD5 should not be used for crypto purposes. SHA-1 though stronger is
>>>>> also vulnerable. HMAC-MD5 though not yet vulnerable looks highly
>>>>> suspect and should not be reccomended. HMAC-SHA-1 for now looks ok and
>>>>> can be reccomended. Goinf forward we should try to reccomend the SHA-2
>>>>> family of protocols.
>>>>>
>>>>> With these clear guidances matching what we have in our documents, I
>>>>> would like to ask the working group to look into this document
>>>>> further. We can then look at getting this as a WG document.
>>>>>
>>>>> Thanks,
>>>>> Vishwas
>>>>> _______________________________________________
>>>>> OPSEC mailing list
>>>>> OPSEC@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/opsec
>>>>>
>>> _______________________________________________
>>> OPSEC mailing list
>>> OPSEC@ietf.org
>>> https://www.ietf.org/mailman/listinfo/opsec
>>>
>>
>

v2.23.0 | Report a Bug | By Email