Re: [TLS] Last Call: <draft-ietf-tls-md5-sha1-deprecate-04.txt> (Deprecating MD5 and SHA-1 signature hashes in TLS 1.2) to Proposed Standard

tom petch <daedulus@btconnect.com> Fri, 16 October 2020 08:56 UTC

Return-Path: <daedulus@btconnect.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BF433A0DF9; Fri, 16 Oct 2020 01:56:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.113
X-Spam-Level:
X-Spam-Status: No, score=-2.113 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.213, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n119Cc41EGj9; Fri, 16 Oct 2020 01:56:42 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00105.outbound.protection.outlook.com [40.107.0.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 665F43A0DEF; Fri, 16 Oct 2020 01:56:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mWPT9w1UP13jarNc7gaj9d0bXQeeqWbjJdPwSdrxJpHySa9XJ342muBNaCALK1seQ82kGAkRudQUY9xH55AgHFd6bmix0bxGmcS7gQYgUrWl5+kvAALMpDC8bd4oc0b9NehDxEAAPtRTNa2gxPo/9O+V+3oRyiVnV1g8fqQDSyiSyFMvy7z/EOMhWFDiWPVdQ1ptW27f75F1oi54XuxZFNtjqyhnOtR4myvgQTRYyPsRRQLr9kM5xxHXd4EWX25CRW3NaDA3cywtk9q+QmDTU/tW51Zfc3G2xpJ2aamQiCHvOPkkECMSWNERGd4pzrhBfgOTYquQvrc4EEOT43tz6Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DNg8bs38wgth8Yj4NXqYpVM9rAtHtE0e6iULaPI3q3Q=; b=FH4Y1WavKPid1o8SzubmDobpyG4jWd8DRzBNhp8+upPHp50wci/6P05r17QyTAA2JADxrtcXJR5f4DmHjC2ITzfcYtqgyqsleeDnK+5E8KZ4A/X4H+ghQw8QjzHOsALwEmQ5nCwzb4FdxfWFZgIL2+0qdANPg7oXHKkroA6bMMEgBu9r0b8cYlb9/X8yMzzlUa/6PsQx+zeqoC5TnRagjpfKPYHav+v02NLlzn7SHl175vdrgSw9xzFbtGejbS9+NWtn0CkR0sGRByRqL+Zt8hZHlStaXj9sdMDt0YDtmL+7TPkXz/gsO+AaXmC60Z0NRLLVMj97secvV9NHT+qlGw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DNg8bs38wgth8Yj4NXqYpVM9rAtHtE0e6iULaPI3q3Q=; b=dlspyBsmLe+yLB+NYGmkkuyPvwD/Tdxixkpky37+eV+MZSzk0AwPXMe4xucmo6F84bW73nRgrjPlGCS5ybTs9GJtstXC0cS33smNOzaeqmOnMJqkqmlBNIw/4c9YzlKgiZwfn/hW6ENTD6zdk6epadXzXkdeLZET0oSlhjUXwq0=
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=btconnect.com;
Received: from VI1PR07MB6704.eurprd07.prod.outlook.com (2603:10a6:800:18b::8) by VI1PR07MB4142.eurprd07.prod.outlook.com (2603:10a6:803:35::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.9; Fri, 16 Oct 2020 08:56:38 +0000
Received: from VI1PR07MB6704.eurprd07.prod.outlook.com ([fe80::6165:9c1c:e5b1:15db]) by VI1PR07MB6704.eurprd07.prod.outlook.com ([fe80::6165:9c1c:e5b1:15db%4]) with mapi id 15.20.3477.015; Fri, 16 Oct 2020 08:56:38 +0000
To: last-call@ietf.org
References: <160270080535.5894.280254092203286109@ietfa.amsl.com>
Cc: rdd@cert.org, tls-chairs@ietf.org, tls@ietf.org, draft-ietf-tls-md5-sha1-deprecate@ietf.org
From: tom petch <daedulus@btconnect.com>
Message-ID: <5F896042.6090804@btconnect.com>
Date: Fri, 16 Oct 2020 09:56:34 +0100
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
In-Reply-To: <160270080535.5894.280254092203286109@ietfa.amsl.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [86.146.121.140]
X-ClientProxiedBy: LNXP265CA0089.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:76::29) To VI1PR07MB6704.eurprd07.prod.outlook.com (2603:10a6:800:18b::8)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [192.168.1.65] (86.146.121.140) by LNXP265CA0089.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:76::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.3477.21 via Frontend Transport; Fri, 16 Oct 2020 08:56:37 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 2fd1fb9f-e3b2-486a-0a01-08d871b16485
X-MS-TrafficTypeDiagnostic: VI1PR07MB4142:
X-Microsoft-Antispam-PRVS: <VI1PR07MB414246756C37750C2B410924C6030@VI1PR07MB4142.eurprd07.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: SBQGWo2hB4U5UAOKsQkZF6og1u3o+csSCBXyWXgzLhx1nl5r9tm5IXyxg3AhoPEOl9YsA9d+QYbxtkr6EKyVCIGSN9cmIavkoisV5Ky+NnX7TBFmG8bhVtQUMaIn3IhscTHdsgZaaMCNHQZ2pFePAwDKhpiPJY1nhS8WtPF0wn9wXY1jF9VWy/ruFPS1m9OmCOA6XeBW9V/yJoppomEH3YZbMtkeTF93GBx8GOmVZMaKmShUzLZFC6ePT+iTfV1W2INrkQp8z451FNTYajjgxG2CV5bNvRPCMhPbq8++Zj93LJQRb0nuX02EJiwhtPO6mV576qxGlb7Rj3+fLzkxLldU25xIEdqPn+um9zUJ83XM/NUHnSWzQd40AN/EVGbkR+/nYDsUTGtSos3JOlzNAQ==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR07MB6704.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(346002)(136003)(39860400002)(366004)(396003)(478600001)(956004)(4326008)(2616005)(87266011)(52116002)(86362001)(2906002)(26005)(186003)(8676002)(36756003)(16526019)(53546011)(66556008)(16576012)(4001150100001)(8936002)(6666004)(316002)(66946007)(966005)(5660300002)(83380400001)(66476007)(33656002)(6916009)(6486002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData: xT6EkquyYyU1k83og/UTwy7TEsUR47mI7mrXU5Qp3G4uq0I5ofJbFXtY5b7Nn46RrsYej3W7ZynKzjFwuZ9t9b1FPi6Nfkys7nRP7zAQlQjJPUOwjoIemL8PwSSh0OkmIHxqvsPj8L492cVoXDvtNHHjEAE6bzme3Ng8ARDmvzLHxPFurZE3hl0H3x5Cg1R/6xUQ26K0pkhd5DgYGrmEbfD4QV2iW7zPK/kz4YfqGbsSd0Hy/mekf6Ufey6GfgDfS5IV7whddrUfOJQFay3E9nncn+dVOMd2ImrjXdRKhxOe8+rXeWlr2bA3n4K500fn8giWuzy+FIaMNB6ZLUHoIWArtB5uKl2c7n0XHOmT3LeI4T69rbeB2Tp9551mql9PGCtNyqpGUyCKC9L+KZp5ew9V7s4Y3Scqymn0E9SIUOL2jilSxrXdk5KqQ3FY8heJFMsIPJtFCIUVXsoU2o3s44DHz1koQpdJyo9Cgt1cwHKj5UB+4uUupRsFgy+RhOdqVhypvteaYSIpSGWQZjGx9McJJCvlhwQHWtA0yFZSBuJvOgJkIE/cgULlZG+TdtGQvzqKRRcigaTBP3mTfzFWOwl+Id0R9Kq1VYtkNUO1OBRWvfN8V2jqPgSrOeqIcqvk3Zy5bXIFB/uS+xVvavH0zQ==
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2fd1fb9f-e3b2-486a-0a01-08d871b16485
X-MS-Exchange-CrossTenant-AuthSource: VI1PR07MB6704.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Oct 2020 08:56:38.4686 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: hnUi1rq7KtqkwhVCtwf8jZ1bX9z8sVumfWlM17z8F/nfTqJspA4ii5w/hZeXQYnFPs/oC8YrjgH4KpWAYB+jqg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB4142
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/FJzF59keKy-xxkM9dPhmiDG0M84>
Subject: Re: [TLS] Last Call: <draft-ietf-tls-md5-sha1-deprecate-04.txt> (Deprecating MD5 and SHA-1 signature hashes in TLS 1.2) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2020 08:56:44 -0000

I think that the first sentence could be improved.

'The MD5 and SHA-1 hashing algorithms are steadily weakening ...' sounds 
as if they are under attack from electrolytic corrosion or the 
death-watch beatle.

I suggest
NEW
'The MD5 and SHA-1 hashing algorithms are increasingly vulnerable to 
attack and this document deprecates their use in TLS 1.2 digital 
signatures.'

And

/This draft/This document/

Tom Petch

On 14/10/2020 19:40, The IESG wrote:
>
> The IESG has received a request from the Transport Layer Security WG (tls) to
> consider the following document: - 'Deprecating MD5 and SHA-1 signature
> hashes in TLS 1.2'
>    <draft-ietf-tls-md5-sha1-deprecate-04.txt> as Proposed Standard
>
> The IESG plans to make a decision in the next few weeks, and solicits final
> comments on this action. Please send substantive comments to the
> last-call@ietf.org mailing lists by 2020-10-28. Exceptionally, comments may
> be sent to iesg@ietf.org instead. In either case, please retain the beginning
> of the Subject line to allow automated sorting.
>
> Abstract
>
>
>     The MD5 and SHA-1 hashing algorithms are steadily weakening in
>     strength and their deprecation process should begin for their use in
>     TLS 1.2 digital signatures.  However, this document does not
>     deprecate SHA-1 in HMAC for record protection.  This document updates
>     RFC 5246 and RFC 7525.
>
>
>
>
> The file can be obtained via
> https://datatracker.ietf.org/doc/draft-ietf-tls-md5-sha1-deprecate/
>
>
>
> No IPR declarations have been submitted directly on this I-D.
>
>
>
>
>
> _______________________________________________
> IETF-Announce mailing list
> IETF-Announce@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf-announce
> .
>