[tcpm] status of TCP-MD5 after TCP-AO publication
Lars Eggert <lars.eggert@nokia.com> Wed, 29 July 2009 10:48 UTC
Return-Path: <lars.eggert@nokia.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CEB0B3A6E7A; Wed, 29 Jul 2009 03:48:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_23=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qWWc3irHQZ4S; Wed, 29 Jul 2009 03:48:57 -0700 (PDT)
Received: from mail.fit.nokia.com (mail.fit.nokia.com [195.148.124.195]) by core3.amsl.com (Postfix) with ESMTP id 324383A6F1D; Wed, 29 Jul 2009 03:48:45 -0700 (PDT)
Received: from host-78-64-88-208.homerun.telia.com (host-78-64-88-208.homerun.telia.com [78.64.88.208]) (authenticated bits=0) by mail.fit.nokia.com (8.14.3/8.14.3) with ESMTP id n6TAmb9h005447 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 29 Jul 2009 13:48:38 +0300 (EEST) (envelope-from lars.eggert@nokia.com)
Message-Id: <6BB76CFA-4134-4D3E-BE20-3A90A5111CBD@nokia.com>
From: Lars Eggert <lars.eggert@nokia.com>
To: tcpm@ietf.org
Content-Type: multipart/signed; boundary="Apple-Mail-20--25621888"; micalg="sha1"; protocol="application/pkcs7-signature"
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Wed, 29 Jul 2009 12:48:37 +0200
X-Mailer: Apple Mail (2.935.3)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.2 (mail.fit.nokia.com [212.213.221.39]); Wed, 29 Jul 2009 13:48:38 +0300 (EEST)
Cc: "iesg@ietf.org IESG" <iesg@ietf.org>
Subject: [tcpm] status of TCP-MD5 after TCP-AO publication
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2009 10:48:57 -0000
Hi, at the meeting, the question came up which status TCP-MD5 should have after TCP-AO is published. Specifically, whether it should be obsoleted by TCP-AO and/or if it should be reclassified as Historic. A related issue I came across while trying to form an opinion of the former issue is if the publication of TCP-AO means that we can lift the Standards Variance for TCP-MD5 introduced by RFC4728. (I'm CC'ing the IESG because of this latter point, because that Standards Variance came from the SEC and RTG areas.) I looked at some other cases related to MD5 to see how we handled obsoleting or making things Historic in the past, with regards to TCP- MD5. Example 1 is RFC2537 "RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)", which is obsoleted by RFC3110 "RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)", but *not* moved to Historic. (Note that this change replaces MD5 by SHA1, i.e., isn't wire-compatible, similar to how moving from TCP-MD5 to TCP-AO isn't wire-compatible, so that is apparently OK.) Example 2 is RFC2082, which is also obsoleted (but not made Historic) by RFC4822 and also replaces MD5 with another algorithm that affects wire-compatibility. So there is precedent for TCP-AO to obsolete TCP-MD5, which is also what the -AO draft currently contains. Now, on the topic of moving TCP-MD5 to Historic, RFC2026 says that even when one spec obsoletes another, there may be cases where the obsoleted spec is kept at its original level (i.e., not made Historic) to honor the requirements of an installed base, if there is one. (See PS below for the actual text.) I believe that TCP-MD5 will still remain widely deployed initially even after TCP-AO is published, and so moving it to Historic is not something we should aim for at this time. Agreed? Finally, on whether the publication of TCP-AO means that we can lift the Standards Variance for TCP-MD5 introduced by RFC4728, I'd be really interested in hearing your feedback. Thanks, Lars PS: To save you all some scrolling, RFC2026 says this about Historic RFCs: 4.2.4 Historic A specification that has been superseded by a more recent specification or is for any other reason considered to be obsolete is assigned to the "Historic" level. (Purists have suggested that the word should be "Historical"; however, at this point the use of "Historic" is historical.) and later 6.3 Revising a Standard A new version of an established Internet Standard must progress through the full Internet standardization process as if it were a completely new specification. Once the new version has reached the Standard level, it will usually replace the previous version, which will be moved to Historic status. However, in some cases both versions may remain as Internet Standards to honor the requirements of an installed base. In this situation, the relationship between the previous and the new versions must be explicitly stated in the text of the new version or in another appropriate document (e.g., an Applicability Statement; see section 3.2). 6.4 Retiring a Standard As the technology changes and matures, it is possible for a new Standard specification to be so clearly superior technically that one or more existing standards track specifications for the same function should be retired. In this case, or when it is felt for some other reason that an existing standards track specification should be retired, the IESG shall approve a change of status of the old specification(s) to Historic. This recommendation shall be issued with the same Last-Call and notification procedures used for any other standards action. A request to retire an existing standard can originate from a Working Group, an Area Director or some other interested party.
- [tcpm] status of TCP-MD5 after TCP-AO publication Lars Eggert
- Re: [tcpm] status of TCP-MD5 after TCP-AO publica… Iljitsch van Beijnum
- Re: [tcpm] status of TCP-MD5 after TCP-AO publica… Lars Eggert
- Re: [tcpm] status of TCP-MD5 after TCP-AO publica… David Borman
- Re: [tcpm] status of TCP-MD5 after TCP-AO publica… Joe Touch
- Re: [tcpm] status of TCP-MD5 after TCP-AO publica… Ron Bonica
- Re: [tcpm] status of TCP-MD5 after TCP-AO publica… Iljitsch van Beijnum
- Re: [tcpm] status of TCP-MD5 after TCP-AO publica… Smith, Donald
- Re: [tcpm] status of TCP-MD5 after TCP-AO publica… Joe Touch
- Re: [tcpm] status of TCP-MD5 after TCP-AO publica… Chaks Chigurupati (chaks)
- Re: [tcpm] status of TCP-MD5 after TCP-AO publica… Smith, Donald
- Re: [tcpm] status of TCP-MD5 after TCP-AO publica… Chaks Chigurupati (chaks)
- Re: [tcpm] status of TCP-MD5 after TCP-AO publica… toby.moncaster
- Re: [tcpm] status of TCP-MD5 after TCP-AO publica… Iljitsch van Beijnum
- Re: [tcpm] status of TCP-MD5 after TCP-AO publica… Pekka Savola