IETF Logo Mail Archive

Re: [TLS] MD5 diediedie (was Re: Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms)

Yuhong Bao <yuhongbao_386@hotmail.com> Tue, 12 January 2016 03:54 UTC

Return-Path: <yuhongbao_386@hotmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 275631ACDC0 for <tls@ietfa.amsl.com>; Mon, 11 Jan 2016 19:54:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.351
X-Spam-Level:
X-Spam-Status: No, score=-2.351 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pAuWAtdW9IJI for <tls@ietfa.amsl.com>; Mon, 11 Jan 2016 19:54:15 -0800 (PST)
Received: from BLU004-OMC3S12.hotmail.com (blu004-omc3s12.hotmail.com [65.55.116.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 956671ACDBF for <tls@ietf.org>; Mon, 11 Jan 2016 19:54:15 -0800 (PST)
Received: from BLU177-W29 ([65.55.116.73]) by BLU004-OMC3S12.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Mon, 11 Jan 2016 19:54:15 -0800
X-TMN: [OIhNk6YVn+bE/6uuJhO6EZqkN4q8Akx9]
X-Originating-Email: [yuhongbao_386@hotmail.com]
Message-ID: <BLU177-W292B808932A11C1C3D6720C3CA0@phx.gbl>
From: Yuhong Bao <yuhongbao_386@hotmail.com>
To: Dave Garrett <davemgarrett@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Date: Mon, 11 Jan 2016 19:54:14 -0800
Importance: Normal
In-Reply-To: <201601112242.46115.davemgarrett@gmail.com>
References: <20160111183017.GA12243@roeckx.be>, <9A043F3CF02CD34C8E74AC1594475C73F4BC5FC6@uxcn10-5.UoA.auckland.ac.nz>, <CAHOTMVK7JQ-UR1j=H3Rio4V-FgSvxgLdU3PDTZhLuA5bOMr+wg@mail.gmail.com>, <201601112242.46115.davemgarrett@gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 12 Jan 2016 03:54:15.0146 (UTC) FILETIME=[E79094A0:01D14CEC]
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/qMKdvU2KvqDg_a3PXWPBe-fpRFY>
Subject: Re: [TLS] MD5 diediedie (was Re: Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jan 2016 03:54:19 -0000

> Note that continued support of trust anchors with MD5 hashes is not dependent on this, as we've already agreed they don't need to be validated. (they need to be phased out, but with less urgency) If used within this specific context, nothing even needs the ability to understand MD5 hashes at all in order to handle these; the certificate as a whole is trusted or not.
That being said, I think there are very few of the roots left in Mozilla's root store anyway. Similarly HMAC-MD5 is safe too but the only non-export cipher suite that uses it is the RC4 one anyway.

Yuhong Bao

v2.23.0 | Report a Bug | By Email