Re: [TLS] MD5 diediedie (was Re: Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms)

[Viktor Dukhovni <ietf-dane@dukhovni.org>]

On Mon, Jan 11, 2016 at 10:42:45PM -0500, Dave Garrett wrote:

> No sane person disputes that MD5 needs to be eradicated ASAP. We're keeping
> MD5||SHA1 in old TLS for compatibility and we are well aware that needs
> to go eventually too. Thus, I suggest we publish an MD5 diediedie standards
> track RFC to prohibit ALL standalone MD5 use in ALL IETF
> protocols/standards. 

With some exceptions, for example:

    * As you note in your last comment, X.509 self-signatures via
    MD5 may continue to be ignored, once MD5 is "banned" in the same
    way that they should have been ignored before it was "banned".

    * S/MIME parsers may continue to parse old S/MIME messages with
      MD/5 signatures.  More generally, Encrypted data at rest may
      need support for MD5 for the lifetime of the data (until
      re-encrypted, ...).

    * PEM files holding RSA private encrypted keys may continue
    to use the legacy MD5-based KDF so that the keys can be
    decrypted.

> Also, when I say "prohibited" here, I mean _completely_.

There is no Internet police, and the IETF does not get to prohibit
the use of MD5, we only get to write protocol standards.

> No MD5 function should remain in the relevant codebase;

In particular the IETF does not get to tell anyone which functions
they get to include in their codebase.  So no IETF document saying
such a thing makes much difference.

> if MD5||SHA1 support is continued,
> there should be one function that does only that without any way to get
> a plain MD5 hash.

This turns out to be a good idea anyway, thus, for example, OpenSSL
1.1.0-apha2 just recently added an EVP_md5_sha1() hash function.

-- 
	Viktor.