[Spasm] Consideration for MD5 as untrusted in RFC5751bis? (and related doc)
Wei Chuang <weihaw@google.com> Thu, 05 May 2016 23:57 UTC
Return-Path: <weihaw@google.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69F6112D0AE for <spasm@ietfa.amsl.com>; Thu, 5 May 2016 16:57:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.696
X-Spam-Level:
X-Spam-Status: No, score=-3.696 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ugVyipxgm9Pl for <spasm@ietfa.amsl.com>; Thu, 5 May 2016 16:57:32 -0700 (PDT)
Received: from mail-oi0-x22c.google.com (mail-oi0-x22c.google.com [IPv6:2607:f8b0:4003:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E3CA12B00F for <spasm@ietf.org>; Thu, 5 May 2016 16:57:32 -0700 (PDT)
Received: by mail-oi0-x22c.google.com with SMTP id x201so121616266oif.3 for <spasm@ietf.org>; Thu, 05 May 2016 16:57:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=YDUjws2TQv07ymzZuKOHhR38qSNxiQ3nZk6nRB1tqxs=; b=UuUMYSv02GRJQAsrQqzOzfjExhACQ8sbO9+E9mahPjv4rm5UobomkMm8NJc/gvQ18V saFb2v+3Eb0dVm7q46f5vs7jRFET3dzBtaFMmYadDPjWj8NlUkVVJYnA6rPtjzX5kaTA mqLuzjoNyzwB5x0JvcXBv8LVVUq5NkPc9qbEl8DI7LBWOyXZcWDejkp6zDUgCTGIXTd5 lQDJ9U4Smn6WfURUeP1kz3XhJdpVYNcJLXs00lTPuTiHU1L0USPikBH5KjoN1jPeczjW kFoc9SNrDnVLJHKzCWp/HuY3/2l6XjVK9fGFziVecCzsYaCCvdNHiTrDmpIj3x2IN0Ca S0RA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=YDUjws2TQv07ymzZuKOHhR38qSNxiQ3nZk6nRB1tqxs=; b=OuBukm9pnP/GWDEkf38LwwOFv4EOBr+kbFHjDS2kkUsEk1ItjN4K86J2kqpRdFwqo1 Gt7+KrxA5U7LWMQUniCW14ICzePffpgJzA2DcyOU4oIc+gtHuUyWlWxh3ac5DNoK7uWt V7OFTJSYXlvBYlZk9tYGB/kwVdAzAicnUjK/cIYhe+356xyD5ewFt42OsFZB7TrVEWFy MFHV9/xGaEKBikL2rBI1/w8X0hHAICP3901N8L1dvlOLEpf0QEirnxcQvhr8zHZ+u2fX Ok7TsWBEe06y0boYwc65wj09vzxm3WJqHvjGrsqB5B6BbyQCovBRCpyu9JDmeNINeuPI /dDQ==
X-Gm-Message-State: AOPr4FX1FD1oQFeNYcItLHtBtx7JONfSZKccrzeHX/FUqp/prR5e8M7FJWRtlwOmjtC63tZWtxH0BdMzPmIPVFqz
X-Received: by 10.157.15.69 with SMTP id 63mr9015903ott.26.1462492651926; Thu, 05 May 2016 16:57:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.35.36 with HTTP; Thu, 5 May 2016 16:57:31 -0700 (PDT)
From: Wei Chuang <weihaw@google.com>
Date: Thu, 05 May 2016 16:57:31 -0700
Message-ID: <CAAFsWK2A88z9o-hhxsWMbAfabtu2UZ6GauZe0ft5TFX9xtvY1w@mail.gmail.com>
To: spasm@ietf.org
Content-Type: multipart/alternative; boundary="94eb2c033886018a030532211b5d"
Archived-At: <http://mailarchive.ietf.org/arch/msg/spasm/1jhS5R3kIwKjioHXJcK8GFvVoSA>
Subject: [Spasm] Consideration for MD5 as untrusted in RFC5751bis? (and related doc)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 May 2016 23:57:34 -0000
Hi everyone, I wanted to bring more eyes to the proposal which is to treat MD5 digest as untrusted in updates to draft-schaad-rfc5751-bis-00. Its been long documented in RFC6151 which is from 2011 that "MD5 is no longer acceptable where collision resistance is required such as digital signatures". And since then there have been real world examples where MD5 has been exploited e.g. search for "Flame MD5". Note when the exploit was posted, and consider that compute power has substantially improved increasing the accessibility of the exploit. Consequently as we update RFC5751 we should deprecate MD5 from the list of trusted algorithms. We should similarly do this for RFC5750 i.e. consider a RFC5750bis and deprecate MD5 there as well. Now understandably there is the issue of backwards compatibility. There already is support in both documents for this as it specifies warning users when RSA and DSA with keysize < 1024 is used. It also differentiates treatment of archived messages from newly received messages. We should do the same for MD5, and formalize this process for other future deprecations of keylength and algorithms. I further propose that language be adjusted so sending agents must not use these deprecated algorithm or keysize. Please provide your opinion / feedback as community opinion is very important for this issue. thanks very much, -Wei