Re: [OPSEC] draft-bhatia-manral-igp-crypto-requirements
Joel Jaeggli <joelja@bogus.com> Wed, 25 February 2009 22:19 UTC
Return-Path: <joelja@bogus.com>
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 06B1F3A6AE0 for <opsec@core3.amsl.com>; Wed, 25 Feb 2009 14:19:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9IS+bj2hewTc for <opsec@core3.amsl.com>; Wed, 25 Feb 2009 14:19:26 -0800 (PST)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) by core3.amsl.com (Postfix) with ESMTP id 084663A68E4 for <opsec@ietf.org>; Wed, 25 Feb 2009 14:19:25 -0800 (PST)
Received: from [192.103.16.213] ([192.103.16.213]) (authenticated bits=0) by nagasaki.bogus.com (8.14.3/8.14.3) with ESMTP id n1PMJgLr040223 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 25 Feb 2009 22:19:43 GMT (envelope-from joelja@bogus.com)
Message-ID: <49A5C3F0.7040909@bogus.com>
Date: Wed, 25 Feb 2009 14:19:28 -0800
From: Joel Jaeggli <joelja@bogus.com>
User-Agent: Thunderbird 2.0.0.19 (X11/20090105)
MIME-Version: 1.0
To: Vishwas Manral <vishwas.ietf@gmail.com>, opsec wg mailing list <opsec@ietf.org>
References: <77ead0ec0902232009s260cee0dn4f81390ddf698e1c@mail.gmail.com> <92c950310902240904y31537b3cn1837b4a78ba4a40b@mail.gmail.com> <77ead0ec0902241019n3342915q7777c7475b5bda5a@mail.gmail.com>
In-Reply-To: <77ead0ec0902241019n3342915q7777c7475b5bda5a@mail.gmail.com>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV 0.94.2/9048/Wed Feb 25 21:08:29 2009 on nagasaki.bogus.com
X-Virus-Status: Clean
Subject: Re: [OPSEC] draft-bhatia-manral-igp-crypto-requirements
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Feb 2009 22:19:27 -0000
Vishwas Manral wrote: > Hi Glen, > > Thanks for your support of the document. > > There was no ambiguity as such, however Ran wanted us to look further > into whether the recently announced vulnerabilities to SHA-1 and MD5 > would effect the reccomendation for HMAC-SHA-1. We have the issue of vulnerable today vs problematic today, or tomorrow... I feel very comfortable saying there are some places where md5 is used today that I'd really prefer to not be using it in 5 years. That's good advice to have especially on the operational side. stating that is being proactice. joelja > Thanks, > Vishwas > > On Tue, Feb 24, 2009 at 9:04 AM, Glen Kent <glen.kent@gmail.com> wrote: >> So was there any ambiguity in recommending HMAC-SHA1 over other >> available options ever? >> >> I re-read the document, found it extremely simple, the recommendations >> look right, found it just to be what OPSEC must own up. >> >> Glen >> >> On Tue, Feb 24, 2009 at 9:39 AM, Vishwas Manral <vishwas.ietf@gmail.com> wrote: >>> Hi folks, >>> >>> We now have got some clear guidance regarding this document from the >>> Security AD's regarding the cryptographic algorithms (Joel has been >>> privy to those mails). The guidance seems to second what Hugo and >>> other cryptographers have been stating all along. The crux of what has >>> been said is: >>> >>> MD5 should not be used for crypto purposes. SHA-1 though stronger is >>> also vulnerable. HMAC-MD5 though not yet vulnerable looks highly >>> suspect and should not be reccomended. HMAC-SHA-1 for now looks ok and >>> can be reccomended. Goinf forward we should try to reccomend the SHA-2 >>> family of protocols. >>> >>> With these clear guidances matching what we have in our documents, I >>> would like to ask the working group to look into this document >>> further. We can then look at getting this as a WG document. >>> >>> Thanks, >>> Vishwas >>> _______________________________________________ >>> OPSEC mailing list >>> OPSEC@ietf.org >>> https://www.ietf.org/mailman/listinfo/opsec >>> > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec >
- [OPSEC] draft-bhatia-manral-igp-crypto-requiremen… Vishwas Manral
- Re: [OPSEC] draft-bhatia-manral-igp-crypto-requir… Glen Kent
- Re: [OPSEC] draft-bhatia-manral-igp-crypto-requir… Vishwas Manral
- Re: [OPSEC] draft-bhatia-manral-igp-crypto-requir… Joel Jaeggli
- Re: [OPSEC] draft-bhatia-manral-igp-crypto-requir… Vishwas Manral
- Re: [OPSEC] draft-bhatia-manral-igp-crypto-requir… Joel Jaeggli
- Re: [OPSEC] draft-bhatia-manral-igp-crypto-requir… Bhatia, Manav (Manav)
- Re: [OPSEC] draft-bhatia-manral-igp-crypto-requir… John Smith
- Re: [OPSEC] draft-bhatia-manral-igp-crypto-requir… Pasi.Eronen
- Re: [OPSEC] draft-bhatia-manral-igp-crypto-requir… Vishwas Manral