IETF Logo Mail Archive

Re: [saag] SHA-1 to SHA-n transition

Bill Sommerfeld <sommerfeld@sun.com> Thu, 26 February 2009 15:58 UTC

Return-Path: <sommerfeld@sun.com>
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 05A213A68E8 for <saag@core3.amsl.com>; Thu, 26 Feb 2009 07:58:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.046
X-Spam-Level:
X-Spam-Status: No, score=-6.046 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ptw0oBHXt2OD for <saag@core3.amsl.com>; Thu, 26 Feb 2009 07:58:33 -0800 (PST)
Received: from sca-ea-mail-1.sun.com (sca-ea-mail-1.Sun.COM [192.18.43.24]) by core3.amsl.com (Postfix) with ESMTP id 39DF93A67F7 for <saag@ietf.org>; Thu, 26 Feb 2009 07:58:33 -0800 (PST)
Received: from dm-east-01.east.sun.com ([129.148.9.192]) by sca-ea-mail-1.sun.com (8.13.7+Sun/8.12.9) with ESMTP id n1QFwjtP019969; Thu, 26 Feb 2009 15:58:45 GMT
Received: from localhost.east.sun.com (vroom.SFBay.Sun.COM [10.7.251.192]) by dm-east-01.east.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id n1QFwiLa003813; Thu, 26 Feb 2009 10:58:44 -0500 (EST)
Received: from localhost.east.sun.com (localhost [127.0.0.1]) by localhost.east.sun.com (8.14.3+Sun/8.14.3) with ESMTP id n1QFwhcx003575; Thu, 26 Feb 2009 07:58:43 -0800 (PST)
Received: (from sommerfeld@localhost) by localhost.east.sun.com (8.14.3+Sun/8.14.3/Submit) id n1QFweR2003574; Thu, 26 Feb 2009 07:58:41 -0800 (PST)
X-Authentication-Warning: localhost.east.sun.com: sommerfeld set sender to sommerfeld@sun.com using -f
From: Bill Sommerfeld <sommerfeld@sun.com>
To: Theodore Tso <tytso@mit.edu>
In-Reply-To: <20090226143809.GF7227@mit.edu>
References: <2788466ED3E31C418E9ACC5C3166155768B2CB@mou1wnexmb09.vcorp.ad.vrsn.com> <0c2301c9979f$8a1cd770$0600a8c0@china.huawei.com> <2788466ED3E31C418E9ACC5C3166155768B2CE@mou1wnexmb09.vcorp.ad.vrsn.com> <20090226143809.GF7227@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Date: Thu, 26 Feb 2009 07:58:37 -0800
Message-Id: <1235663917.3293.16.camel@localhost>
Mime-Version: 1.0
X-Mailer: Evolution 2.24.2
Cc: der Mouse <mouse@Rodents-Montreal.ORG>, saag@ietf.org
Subject: Re: [saag] SHA-1 to SHA-n transition
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Feb 2009 15:58:34 -0000

On Thu, 2009-02-26 at 09:38 -0500, Theodore Tso wrote:

> There are couple of things we need to do in order to successfully
> carry off a migration:
> 
> (1) ...
> (2) ...
> (3) Once (1) and (2) are done, <deploy certs using sha-n>

So, that sort of transition plan is doomed.  (1) and (2) will never be
"done" because there will always be sites and clients running old
software.

What's more, software which has not been tested does not work.  We don't
know until we start trying to deploy sha-n certs on a wide scale if we
got all the details right, and if we got something wrong and have to
tweak the browsers again...

IMHO we need a transition plan which allows websites to deploy with
sha-n certs in parallel to sha-1 certs from day 1 (and, if I dare
mention it, we need to find some way to do this without making them pay
a bunch of nuisance fees to CA operators).

That way the hard part of the transition plan looks more like:

 n) release software which expects sha-n and considers sha-1 an
exceptional case.

and the triggering event for this can be somewhat more flexible.  It may
still happen shortly after a "cnn moment", but which would be a much
more graceful transition than if we had to throw the switch starting
today.

v2.23.0 | Report a Bug | By Email