IETF Logo Mail Archive

Re: [saag] SHA-1 to SHA-n transition

Nicolas Williams <Nicolas.Williams@sun.com> Tue, 03 March 2009 16:16 UTC

Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B6AAE28C232 for <saag@core3.amsl.com>; Tue, 3 Mar 2009 08:16:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.887
X-Spam-Level:
X-Spam-Status: No, score=-5.887 tagged_above=-999 required=5 tests=[AWL=0.159, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 71k4mrOPbVdY for <saag@core3.amsl.com>; Tue, 3 Mar 2009 08:16:37 -0800 (PST)
Received: from brmea-mail-1.sun.com (brmea-mail-1.Sun.COM [192.18.98.31]) by core3.amsl.com (Postfix) with ESMTP id C3A333A69E9 for <saag@ietf.org>; Tue, 3 Mar 2009 08:16:31 -0800 (PST)
Received: from dm-central-02.central.sun.com ([129.147.62.5]) by brmea-mail-1.sun.com (8.13.6+Sun/8.12.9) with ESMTP id n23GGwSa009531 for <saag@ietf.org>; Tue, 3 Mar 2009 16:16:59 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id n23GGsXx005155 for <saag@ietf.org>; Tue, 3 Mar 2009 09:16:54 -0700 (MST)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id n23G0CMV014154; Tue, 3 Mar 2009 10:00:13 -0600 (CST)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id n23G07QT014153; Tue, 3 Mar 2009 10:00:07 -0600 (CST)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Tue, 03 Mar 2009 10:00:07 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Message-ID: <20090303160007.GW9992@Sun.COM>
References: <20090302181143.2B7B550822@romeo.rtfm.com> <E1LeWpO-00075B-8L@wintermute01.cs.auckland.ac.nz>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <E1LeWpO-00075B-8L@wintermute01.cs.auckland.ac.nz>
User-Agent: Mutt/1.5.7i
Cc: saag@ietf.org, mouse@Rodents-Montreal.ORG
Subject: Re: [saag] SHA-1 to SHA-n transition
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Mar 2009 16:16:37 -0000

On Wed, Mar 04, 2009 at 04:46:42AM +1300, Peter Gutmann wrote:
> Eric Rescorla <ekr@networkresonance.com> writes:
> >"We must do something. This is something. We must do this."
> 
> So you've got the choice between the Polician's Fallacy (the above) and
> psychosis ("PKI has been failing for 30 years [0], let's try more of it in the
> hope that it suddenly works this time").

Well, no, there's also the choice of making PKIs work -- that requires
more political work than technical, and may be as infeasible as a good
unregulated PKI has been.

Also, I'm not sure that well-regulated PKI will necessarily be a good
thing -- I can already imagine the complaints about how red tape slows
everything down, doesn't scale, blah, blah, blah.  But if the consensus
here was that that is what we need, and if politicians told us it's
feasible then it'd be worth trying.

> I think we need psychiatrists for this more than we need security geeks.
> 
> (I don't know the answer either, but admitting you have a problem with your
> current approach is always the first step to recovery).

How long has the consensus been that web security is broke?  Admitting
you have a problem is the first step, but it is not sufficient.

Nico
--

v2.23.0 | Report a Bug | By Email