Re: [therightkey] algorithm blacklisting
Carl Wallace <carl@redhoundsoftware.com> Fri, 03 January 2014 17:45 UTC
Return-Path: <carl@redhoundsoftware.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77C061ADFE0 for <therightkey@ietfa.amsl.com>; Fri, 3 Jan 2014 09:45:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.601
X-Spam-Level:
X-Spam-Status: No, score=-4.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u2ScWBpRIHOW for <therightkey@ietfa.amsl.com>; Fri, 3 Jan 2014 09:45:43 -0800 (PST)
Received: from mail-qe0-f47.google.com (mail-qe0-f47.google.com [209.85.128.47]) by ietfa.amsl.com (Postfix) with ESMTP id B3FA71ADFD7 for <therightkey@ietf.org>; Fri, 3 Jan 2014 09:45:42 -0800 (PST)
Received: by mail-qe0-f47.google.com with SMTP id t7so15599227qeb.6 for <therightkey@ietf.org>; Fri, 03 Jan 2014 09:45:35 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:user-agent:date:subject:from:to:message-id :thread-topic:references:in-reply-to:mime-version:content-type :content-transfer-encoding; bh=9C87o0dSYhowEWx2Httbgdf0xjCNQKJPvevBnUhwWtw=; b=ef+TrARR5nfVqzrDT/ty0peBDu0msCkeWDNYFOQK2YIgfJedFQqooI1u9uYIOlmb4u 1DpwI0y/VfJJwxaQxHEPcnFmEpKSGo0cm2vBeoDlQusYOvTWMjr8VTJh66Fo1dgHqm0C guxfxtkduue3zrrk941bbcsllct2SfPiaGlwyFA7LRDKXR/ZeFLuyTsdzJOysmGfjwu4 mwd8P1qx+0iCjp2ISXHF/clGIS5S1sXKpIZYUIb9L0FQ8BC7LChqxseOrNdFg8kiOb0I Vzgxvg5RmWtXTkJlh1Z6a/JiWQq7tKgmLJy35jpYzfPMaIHpEGwitlA9GOb36xiDQ7dL F01Q==
X-Gm-Message-State: ALoCoQkb0BwdNUZ80rMDoPagFtKS1bW3JWVrRoglVuBTdn79Dj1oS7+qq9159c6HU08gvRCXd43S
X-Received: by 10.49.39.165 with SMTP id q5mr155441264qek.48.1388771135222; Fri, 03 Jan 2014 09:45:35 -0800 (PST)
Received: from [192.168.2.4] (pool-173-79-106-67.washdc.fios.verizon.net. [173.79.106.67]) by mx.google.com with ESMTPSA id p20sm86650650qay.0.2014.01.03.09.45.33 for <therightkey@ietf.org> (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 03 Jan 2014 09:45:34 -0800 (PST)
User-Agent: Microsoft-MacOutlook/14.3.9.131030
Date: Fri, 03 Jan 2014 12:45:32 -0500
From: Carl Wallace <carl@redhoundsoftware.com>
To: therightkey@ietf.org
Message-ID: <CEEC603F.C9EA%carl@redhoundsoftware.com>
Thread-Topic: [therightkey] algorithm blacklisting
References: <CEEC5C32.C9C9%carl@redhoundsoftware.com> <52C6F566.8010409@net.in.tum.de>
In-Reply-To: <52C6F566.8010409@net.in.tum.de>
Mime-version: 1.0
Content-type: text/plain; charset="ISO-8859-1"
Content-transfer-encoding: quoted-printable
Subject: Re: [therightkey] algorithm blacklisting
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jan 2014 17:45:45 -0000
On 1/3/14, 12:37 PM, "Ralph Holz" <holz@net.in.tum.de> wrote: >Hi, > >>> Alternatively, pull the root cert from which MD5 signatures were >>>issued. >>> As the MD5 attack still had considerable cost (for the hobby blackhat, >>> not a 3-letter agency), it was deemed that this must suffice for a >>>while. >> >> To make the discussion CT-compliant, having logs provide a list of >> algorithms that are used by each CA would be a nice feature to enable >> decisions like this. > >Although, in the case you mention, that would not help all that much. >Fortunately, the days of MD5 in X.509 are over. I imagine other algorithms will see a similar fate at some point. > >But in fact, I've been thinking for a while that an additional >monitoring infrastructure would be a nice-to-have thing in addition to >CT --- and, FWIW, also TACK --- I view both drafts as naturally >complementing each other. Yes, better monitoring tools would be very helpful. > >CT, for example, is not meant to address the issue of whether >certificates have been deployed correctly (e.g. correct host). I think >active scans are still worthwhile to collect such information. Identifying types of metrics that are useful to draw from a CT collections seems like a worthwhile exercise. Improved awareness of how a CA is used sits under many suggestions, such as yours above to remove root CAs that have used MD5. > >Ralph > >-- >Ralph Holz >I8 - Network Architectures and Services >Technische Universität München >http://www.net.in.tum.de/de/mitarbeiter/holz/ >Phone +49.89.289.18043 >PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF >_______________________________________________ >therightkey mailing list >therightkey@ietf.org >https://www.ietf.org/mailman/listinfo/therightkey
- Re: [therightkey] algorithm blacklisting Carl Wallace
- Re: [therightkey] algorithm blacklisting Ralph Holz
- Re: [therightkey] algorithm blacklisting Carl Wallace
- Re: [therightkey] algorithm blacklisting Ralph Holz
- Re: [therightkey] algorithm blacklisting Ralph Holz