IETF Logo Mail Archive

Re: [saag] SHA-1 to SHA-n transition

Jeffrey Hutzelman <jhutz@cmu.edu> Tue, 03 March 2009 19:33 UTC

Return-Path: <jhutz@cmu.edu>
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 275593A685D for <saag@core3.amsl.com>; Tue, 3 Mar 2009 11:33:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.508
X-Spam-Level:
X-Spam-Status: No, score=-5.508 tagged_above=-999 required=5 tests=[AWL=1.091, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GKyRusDjIqqT for <saag@core3.amsl.com>; Tue, 3 Mar 2009 11:33:41 -0800 (PST)
Received: from jackfruit.srv.cs.cmu.edu (JACKFRUIT.SRV.CS.CMU.EDU [128.2.201.16]) by core3.amsl.com (Postfix) with ESMTP id 4BFE03A67F9 for <saag@ietf.org>; Tue, 3 Mar 2009 11:33:41 -0800 (PST)
Received: from 68-247-236-105.pools.spcsdns.net (173-115-63-122.pools.spcsdns.net [173.115.63.122]) (authenticated bits=0) by jackfruit.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id n23JXvfV015531 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 3 Mar 2009 14:33:59 -0500 (EST)
Date: Tue, 03 Mar 2009 14:33:57 -0500
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, ekr@networkresonance.com
Message-ID: <7B2E73A2FEDFDF2435195247@atlantis.pc.cs.cmu.edu>
In-Reply-To: <E1LeaCT-0001WI-2K@wintermute01.cs.auckland.ac.nz>
References: <E1LeaCT-0001WI-2K@wintermute01.cs.auckland.ac.nz>
X-Mailer: Mulberry/4.0.8 (Linux/x86)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Scanned-By: mimedefang-cmuscs on 128.2.201.16
Cc: mouse@Rodents-Montreal.ORG, Nicolas.Williams@sun.com, saag@ietf.org
Subject: Re: [saag] SHA-1 to SHA-n transition
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Mar 2009 19:33:42 -0000

--On Wednesday, March 04, 2009 08:22:45 AM +1300 Peter Gutmann 
<pgut001@cs.auckland.ac.nz> wrote:

> Jeffrey Hutzelman <jhutz@cmu.edu> writes:
>
>> Unfortunately, it also creates a fairly signficant set of problems, in
>> that the credentials are no longer portable -- besides needing to know
>> your password, you need a salt that's hidden somewhere in your browser's
>> long-term state.
>
> Yes, I know, and I also knew that every time anyone mentions something
> like this someone immediately raises the point you've just made, which is
> why I addressed it in my original message.

You seem to imply that only weird technical people have or use more than 
one computer.  This is certainly not true; many people have a computer at 
home and one at work, and many of those are quite non-technical.  Computers 
have become commonplace desktop items both in the home and in the office.

Also, telling people "if the disk on your home PC dies, your life is over" 
is a good way to get them _not_ to use a scheme like this.  Saying the 
solution is to always have backups is just going to get you laughed at.

-- Jeff

v2.23.0 | Report a Bug | By Email