Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fast-Track" draft
Simon Josefsson <simon@josefsson.org> Mon, 22 February 2010 08:33 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 23F7028C11E for <tls@core3.amsl.com>; Mon, 22 Feb 2010 00:33:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.731
X-Spam-Level:
X-Spam-Status: No, score=-2.731 tagged_above=-999 required=5 tests=[AWL=-0.132, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jJQTNYkM5C2P for <tls@core3.amsl.com>; Mon, 22 Feb 2010 00:33:40 -0800 (PST)
Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by core3.amsl.com (Postfix) with ESMTP id 0715A28C25E for <tls@ietf.org>; Mon, 22 Feb 2010 00:33:38 -0800 (PST)
Received: from mocca (c80-216-24-99.bredband.comhem.se [80.216.24.99]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id o1M8ZQbO028562 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 22 Feb 2010 09:35:28 +0100
From: Simon Josefsson <simon@josefsson.org>
To: Brian Smith <brian@briansmith.org>
References: <C7A48643.869E%stefan@aaa-sec.com> <4B7ECFEF.50502@briansmith.org>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:100222:brian@briansmith.org::Cqn4oYEZX5Acpf0I:3FV+
X-Hashcash: 1:22:100222:stefan@aaa-sec.com::hxmTzt+CGnQrdfUU:4zBI
X-Hashcash: 1:22:100222:dpkemp@missi.ncsc.mil::/b5upKuBo5sTwoXL:5iKP
X-Hashcash: 1:22:100222:tls@ietf.org::Swud9Rn+G9EkTJfc:GgOf
Date: Mon, 22 Feb 2010 09:35:26 +0100
In-Reply-To: <4B7ECFEF.50502@briansmith.org> (Brian Smith's message of "Fri, 19 Feb 2010 11:52:47 -0600")
Message-ID: <87k4u5zn01.fsf@mocca.josefsson.org>
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: "Kemp, David P." <DPKemp@missi.ncsc.mil>, tls@ietf.org
Subject: Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fast-Track" draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Feb 2010 08:33:41 -0000
Brian Smith <brian@briansmith.org> writes: > 1. As long as this web page on the NIST website says, basically, > "don't use SHA-1 for anything," people will want to disable SHA-1 > whenever they can. It doesn't matter that this page on the website > isn't the official NIST recommendation on the matter. I'd like to suggest another argument to support your reasoning: some FIPS approved crypto libraries no longer export MD5. I expect the same to be true for SHA-1 within a few years. This means that SHA-1 will no longer be as easily available, for these non-crypto purposes needed in tls-cached-info. We noticed this in GnuTLS, that needs MD5 for older TLS versions. Our "solution" was to add an optional MD5 implementation to GnuTLS, rather than always depending on the crypto library for MD5. This felt strange to do, but is the logical consequence of deprecating MD5, and eventually SHA-1, as supported algorithms. Chosing SHA-256 will give us more time, but we'll likely run into the same issue eventually anyway. I believe this suggests that algorithm agility is useful whenever any crypto-related algorithm is _used_, even if it is used for non-crypto related purposes. /Simon
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Simon Josefsson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Adam Langley
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Nikos Mavrogiannopoulos
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Adam Langley
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Michael D'Errico
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Nikos Mavrogiannopoulos
- Re: [TLS] Android's cut-through mode & "RequestTi… Brian Smith
- [TLS] Stream multiplexing extension RE: SPDY / Ne… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- [TLS] TLS Performance (was Re: draft-ietf-tls-cac… Michael D'Errico
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Adam Langley
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Adam Langley
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Adam Langley
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Kemp, David P.
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- [TLS] Cached-info substitution Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Kemp, David P.
- Re: [TLS] Cached-info substitution Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- Re: [TLS] Cached-info substitution Adam Langley
- Re: [TLS] Cached-info substitution Brian Smith
- Re: [TLS] Cached-info substitution Adam Langley
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] Cached-info substitution Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Kemp, David P.
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- [TLS] RFC 5077 (was Re: draft-ietf-tls-cached-inf… Michael D'Errico
- Re: [TLS] Cached-info substitution Adam Langley
- Re: [TLS] Cached-info substitution Wan-Teh Chang
- Re: [TLS] Cached-info substitution Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Simon Josefsson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Kemp, David P.
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Marsh Ray
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-cach… Kemp, David P.
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Marsh Ray
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Yoav Nir
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Simon Josefsson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Simon Josefsson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Simon Josefsson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Joseph Salowey (jsalowey)
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Simon Josefsson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Donald Eastlake
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Joseph Salowey (jsalowey)
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Marsh Ray
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Simon Josefsson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Adam Langley
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Michael D'Errico