Re: [saag] sha1 - have we more work to do?
Sandra Murphy <sandy@tislabs.com> Thu, 05 November 2015 06:07 UTC
Return-Path: <sandy@tislabs.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAA061B36F2 for <saag@ietfa.amsl.com>; Wed, 4 Nov 2015 22:07:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p4JlJMG4SNp6 for <saag@ietfa.amsl.com>; Wed, 4 Nov 2015 22:07:36 -0800 (PST)
Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EBDE1B3A35 for <saag@ietf.org>; Wed, 4 Nov 2015 22:07:36 -0800 (PST)
Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id 0009C28B003D; Thu, 5 Nov 2015 01:07:35 -0500 (EST)
Received: from [IPv6:::1] (localhost.localdomain [127.0.0.1]) by nova.tislabs.com (Postfix) with ESMTP id 36C6E1F8035; Thu, 5 Nov 2015 01:07:35 -0500 (EST)
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_01FFE837-DE4F-4F22-A72A-56F6596056B0"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.5.1
From: Sandra Murphy <sandy@tislabs.com>
In-Reply-To: <5617C054.1070207@cs.tcd.ie>
Date: Thu, 05 Nov 2015 15:04:09 +0900
Message-Id: <CAC84F6D-9DD4-4FAE-9386-BA39A3878192@tislabs.com>
References: <5617C054.1070207@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/On5KkhJBmVAiesXSuvxfFXjqn_Q>
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] sha1 - have we more work to do?
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Nov 2015 06:07:38 -0000
Probably not what you meant, but… We had a long discussion in sidr of the potential for collisions from the use of SHA1 to construct key identifiers. That use is pretty pervasive, since it comes from rfc5280. —Sandy On Oct 9, 2015, at 10:25 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Hiya, > > While it may be still under submission, and not yet peer reviewed, > I was just looking at [1,2] and wondered if we've still work to do > to deprecate sha1 anywhere that we've not yet done. I know a lot > of this was done already but just wanted to check that we're good. > > Anyone know places where sha1 is still a should or must or where it's > still in widespread use despite no longer being a should or must? > (No need to mention root stores in browser for that last though, as > that's a known issue and is I think already being tackled by browser > makers.) > > I guess we can make a list and then figure out what to do if the > list is non-empty. > > Cheers, > S. > > [1] https://sites.google.com/site/itstheshappening/ > [2] https://sites.google.com/site/itstheshappening/shappening_article.pdf > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag
- [saag] sha1 - have we more work to do? Stephen Farrell
- Re: [saag] sha1 - have we more work to do? Yoav Nir
- Re: [saag] sha1 - have we more work to do? Benjamin Kaduk
- Re: [saag] sha1 - have we more work to do? Derek Atkins
- Re: [saag] sha1 - have we more work to do? Rick Andrews
- Re: [saag] sha1 - have we more work to do? Sarat G
- Re: [saag] sha1 - have we more work to do? Sandra Murphy
- Re: [saag] sha1 - have we more work to do? Sean Turner
- Re: [saag] sha1 - have we more work to do? Sarat G