Re: [saag] Revision of "Attacks on Cryptographic Hashes in Internet Protocols"

Andrey Jivsov <openpgp@brainhub.org> Thu, 15 November 2012 01:00 UTC

Return-Path: <openpgp@brainhub.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E08621F87A9 for <saag@ietfa.amsl.com>; Wed, 14 Nov 2012 17:00:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.437
X-Spam-Level:
X-Spam-Status: No, score=-0.437 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ouvEamLeAKQF for <saag@ietfa.amsl.com>; Wed, 14 Nov 2012 17:00:53 -0800 (PST)
Received: from qmta07.emeryville.ca.mail.comcast.net (qmta07.emeryville.ca.mail.comcast.net [IPv6:2001:558:fe2d:43:76:96:30:64]) by ietfa.amsl.com (Postfix) with ESMTP id 15F6A21F87A5 for <saag@ietf.org>; Wed, 14 Nov 2012 17:00:53 -0800 (PST)
Received: from omta04.emeryville.ca.mail.comcast.net ([76.96.30.35]) by qmta07.emeryville.ca.mail.comcast.net with comcast id PWxz1k00B0lTkoCA7d0sX0; Thu, 15 Nov 2012 01:00:52 +0000
Received: from [127.0.0.1] ([69.181.162.123]) by omta04.emeryville.ca.mail.comcast.net with comcast id Pd0r1k00j2g33ZR8Qd0sAq; Thu, 15 Nov 2012 01:00:52 +0000
Message-ID: <50A43E80.1020003@brainhub.org>
Date: Wed, 14 Nov 2012 16:59:44 -0800
From: Andrey Jivsov <openpgp@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120911 Thunderbird/15.0.1
MIME-Version: 1.0
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <9B93EFAD-AD9B-4402-8CC2-79239EB3DF2E@vpnc.org> <50A40FC8.8080602@brainhub.org> <9BE0FD3C-F9CE-492E-A64C-D7CFB7961D3C@vpnc.org> <50A42ACF.80208@brainhub.org> <75F9A834-CA86-4551-A0D9-382EBEBBD04C@vpnc.org> <50A43870.6000605@brainhub.org> <6AF2A507-3533-42CD-95D1-26DB88A80952@vpnc.org>
In-Reply-To: <6AF2A507-3533-42CD-95D1-26DB88A80952@vpnc.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: IETF Security Area Advisory Group <saag@ietf.org>
Subject: Re: [saag] Revision of "Attacks on Cryptographic Hashes in Internet Protocols"
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Nov 2012 01:00:53 -0000

On 11/14/2012 04:39 PM, Paul Hoffman wrote:
>
> On Nov 14, 2012, at 4:33 PM, Andrey Jivsov <openpgp@brainhub.org> wrote:
>
>> On 11/14/2012 03:42 PM, Paul Hoffman wrote:
>>> On Nov 14, 2012, at 3:35 PM, Andrey Jivsov <openpgp@brainhub.org> wrote:
>>>
>>>> On 11/14/2012 02:33 PM, Paul Hoffman wrote:
>>>>> On Nov 14, 2012, at 1:40 PM, Andrey Jivsov <openpgp@brainhub.org> wrote:
>>>>>
>>>>>> SHA-2 is well-supported today, but there are no solid reasons why SHA-3 will not be supported equally well in the future.
>>>>>
>>>>> In that future, we can re-look at support for it in IETF protocols. For now, algorithm agility might be sufficient.
>>>>
>>>> I would agree, but the document such as RFC 4270 influence the future. If the message it sends is that the SHA-3 is an odd bifurcation in the SHA line, SHA-3 won't gain critical mass.
>>>
>>> If we have suggested that in the draft, we should change the text. Can you say where you got that feeling?
>>
>> "However, the authors do not believe that any push to start using SHA-3 is warranted at any time soon."
>
> We disagree that that sentence indicates "that the SHA-3 is an odd bifurcation in the SHA line".
>
> --Paul Hoffman
>

OK Paul, I noted this :-). I would not read it that way, but some people 
might. The Internet will keep your reply as a proof to those.

Nonetheless... I would prefer to see some language suggesting that the 
hash transition issue may be more urgent because of the time lag in some 
cases (described in my previous email).

Re-phrasing my earlier deployment concerns, let me observe that the hash 
algorithm agility/preferences is an elusive thing in general. In 
general, we sign persistent data structures that will be processed by 
entities we may not know anything about. Thus, we cannot gather 
capability preferences from entities who will be performing the 
verification. The only reliable solution is to (universally) deploy 
"read" support and then enable the "generation" of the new data structures.

Thank you.