Re: [saag] SHA-1 to SHA-n transition
David McGrew <mcgrew@cisco.com> Tue, 24 February 2009 12:11 UTC
Return-Path: <mcgrew@cisco.com>
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B41F03A6A20 for <saag@core3.amsl.com>; Tue, 24 Feb 2009 04:11:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xKhPs-69UrQl for <saag@core3.amsl.com>; Tue, 24 Feb 2009 04:11:50 -0800 (PST)
Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id 27FF43A67A4 for <saag@ietf.org>; Tue, 24 Feb 2009 04:11:50 -0800 (PST)
X-IronPort-AV: E=Sophos; i="4.38,258,1233532800"; d="scan'208,217"; a="146555350"
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-1.cisco.com with ESMTP; 24 Feb 2009 12:12:09 +0000
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id n1OCC9Bl031562; Tue, 24 Feb 2009 04:12:09 -0800
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-5.cisco.com (8.13.8/8.13.8) with ESMTP id n1OCC9hY018139; Tue, 24 Feb 2009 12:12:09 GMT
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 24 Feb 2009 04:12:09 -0800
Received: from [10.32.254.210] ([10.32.254.210]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 24 Feb 2009 04:12:08 -0800
Message-Id: <457F06E3-7F0E-409A-8E0F-C5A653827258@cisco.com>
From: David McGrew <mcgrew@cisco.com>
To: Phillip Hallam-Baker <pbaker@verisign.com>
In-Reply-To: <808FD6E27AD4884E94820BC333B2DB7727E7B494E9@NOK-EUMSG-01.mgdnok.nokia.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-14--527710453"
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Tue, 24 Feb 2009 04:12:07 -0800
References: <p06240802c5c5c22d92f0@[128.89.89.88]> <2788466ED3E31C418E9ACC5C3166155768B2BD@mou1wnexmb09.vcorp.ad.vrsn.com> <808FD6E27AD4884E94820BC333B2DB7727E7B494E9@NOK-EUMSG-01.mgdnok.nokia.com>
X-Mailer: Apple Mail (2.930.3)
X-OriginalArrivalTime: 24 Feb 2009 12:12:08.0564 (UTC) FILETIME=[1D6CAB40:01C99679]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=15788; t=1235477529; x=1236341529; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mcgrew@cisco.com; z=From:=20David=20McGrew=20<mcgrew@cisco.com> |Subject:=20Re=3A=20[saag]=20SHA-1=20to=20SHA-n=20transitio n |Sender:=20; bh=xsRmVn+s40YFM6ha/Rp1bM999EDWRS/HdiF6Va/ow5Q=; b=TfcF2MXX9qQfI5SE/dW/S+8ygtav2uK7ESn8joMjTkfeSdFN7gmu+AxpZG Dw4PijPiOYSjXvDgLHe3QkuL1NVbZ0/jpow0Bx8E03IrEban+MQneBsVqybb k/k4GNj5yS;
Authentication-Results: sj-dkim-3; header.From=mcgrew@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Cc: Pasi.Eronen@nokia.com, saag@ietf.org
Subject: Re: [saag] SHA-1 to SHA-n transition
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Feb 2009 12:11:51 -0000
Hi Phillip, On Feb 24, 2009, at 3:48 AM, <Pasi.Eronen@nokia.com> wrote: > Phillip, > > Since you did suggest that adhering to "pristine principles of the > PKIX infrastructure" would get us in deep trouble, does that mean you > think relaxing/dropping some of those principles would allow us to > avoid some of the trouble? > > Or in other words, what are you proposing? I'd certainly be interested > in hearing it, even if it's not totally in line with how we've done > things earlier... I'll second Pasi's question. If you are alluding to some particular proposal, I don't know what it is. David > > Best regards, > Pasi > > From: saag-bounces@ietf.org [mailto:saag-bounces@ietf.org] On Behalf > Of ext Hallam-Baker, Phillip > Sent: 23 February, 2009 21:14 > To: Stephen Kent; saag@ietf.org > Subject: Re: [saag] SHA-1 to SHA-n transition > > Let us see, I suggest that we might need to slay a sacred PKIX cow > or two in order to make the SHA-n transition work. Stephen: > > * Describes the suggestion as 'offensive' > * Raises a non sequitor about certificate issue policy > > I canot imagine why Stephen would imagine that a sensible response > to a technical issue would be found in relaxing certificate issue > policy criteria, or for that matter why I would be likely to be > suggesting that. > > I did however anticipate that Stephen would find my proposal > objectionable. But was somewhat surprised that he didn't wait to > find out what it was before objecting. > > > We have a problem here that requires us to work out a coherent > transition plan for enabling browsers to make use of the stronger > security of SHA2 and SHAn at the earliest possible date taking into > account that we have a very small installed base of SHA2 capable > clients and no spec for SHAn. > > The problem is that you do not gain security from introducing > stronger algorithms, you only gain security from withdrawing > insecure algorithms from use. And for better or worse, there are > real limits to what the Internet user base will tollerate for > security. > > So simply adding SHA2 support to existing browsers does not help us > much unless we have a way to retrospectively shut off SHA1 support > when it is no longer trustworthy. > > And even that does not help very much as there will be a large > number of certificate customers who want to sell to people who can > only use SHA1 capable browsers. > > And then we have the problem that PKIX does not really have a > strategy for algorithm transition. It has the ability to use > multiple algorithms but not very much thought of how the transition > from one to another takes place. > > > From: saag-bounces@ietf.org on behalf of Stephen Kent > Sent: Sat 2/21/2009 11:10 AM > To: saag@ietf.org > Subject: [saag] SHA-1 to SHA-n transition > > I agree wit Phil's suggestion that we begin work on this topic > sooner rather than later. Solutions probably will require > coordination between folks in both PKIX and TLS, plus some browser > experts from the APP area. > > However, Phil's comment (underling added by me) > > If we start addressing the problem now we can lay ourselves an > insurance policy. If we try to insist on the pristine principles of > the PKIX infrastructure we are going to be in deep trouble in about > five years time. > > is offensive, at best. Moreover, unless Phil and his favorite > browser vendors already have a solution in mind, and he anticipates > that it will be objectionable to PKIX, this comment is gratuitous. > > Since we're talking about how well browsers implement PKI mechanisms > in the context of SSL/TLS, it is worth noting a presentation at last > week's Black Hat conference in D.C. The presentation provided > details on how several browsers remain vulnerable to attacks because > they fails to check the Basic Constraints extension. This oversight > of one of those pristine principles of PKIX ( we can use the acronym > P3 going forward) and allows a web sites to act as a CA, based o the > EE cert issued to it by any of the trust anchors embedded in the > browser. > > Another vulnerability, and matching MITM attack, is enabled by the > issuance of certs that contain wildcard DNS names. This is not, a > violation of P3, because PKIX caved to pressure from the TLS WG, to > accommodate web site operators who wanted to purchase one cert from > a TTP that could be used to verify the EE certs for multiple web > sites. I argued against this, but lost. The phrase "I told you so" > comes to mind :-). > > So, contrary to Phil's assertion that adherence to P3 will get us > into deep trouble in five years (with regard to this transition > issue), I believe that PKI shortcuts (hacks) in browsers have gotten > us into deep trouble for many years, and are likely to persist. > > Steve > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag
- Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
- [saag] SHA-1 to SHA-n transition Stephen Kent
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] SHA-1 to SHA-n transition Hannes Tschofenig
- Re: [saag] SHA-1 to SHA-n transition Stephen Kent
- Re: [saag] SHA-1 to SHA-n transition Chandersekaran, Coimbatore S
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Yoav Nir
- Re: [saag] SHA-1 to SHA-n transition Pasi.Eronen
- Re: [saag] SHA-1 to SHA-n transition David McGrew
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Santosh Chokhani
- Re: [saag] SHA-1 to SHA-n transition der Mouse
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Paul Hoffman
- Re: [saag] SHA-1 to SHA-n transition David Harrington
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Michael O'Neill
- Re: [saag] SHA-1 to SHA-n transition Theodore Tso
- [saag] Deployment Deadlock Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Bill Sommerfeld
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- [saag] Channel binding is great but not a silver … Sam Hartman
- Re: [saag] Channel binding is great but not a sil… Nicolas Williams
- Re: [saag] Channel binding is great but not a sil… Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] Channel binding is great but not a sil… Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] Channel binding is great but not a sil… Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] Channel binding is great but not a sil… Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] Channel binding is great but not a sil… Alan DeKok
- Re: [saag] Channel binding is great but not a sil… Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
- Re: [saag] Channel binding is great but not a sil… Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] Channel binding is great but not a sil… Alan DeKok
- [saag] Or grow a real PKI (Re: SHA-1 to SHA-n tra… Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] SHA-1 to SHA-n transition Stephen Kent
- Re: [saag] Channel binding is great but not a sil… Stephen Kent
- Re: [saag] Channel binding is great but not a sil… Stephen Kent
- Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Stephen Kent
- Re: [saag] Channel binding is great but not a sil… Nicolas Williams
- Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Nicolas Williams
- Re: [saag] Deployment Deadlock Pasi.Eronen
- Re: [saag] Deployment Deadlock Hallam-Baker, Phillip
- Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
- Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
- Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
- Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Hallam-Baker, Phillip
- Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
- Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
- Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Stephen Kent
- Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Theodore Tso
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Bill Sommerfeld
- [saag] Credential portability RE: SHA-1 to SHA-n … Hallam-Baker, Phillip