On Tue, Jan 21, 2020 at 12:31 PM Tony Finch <d...@dotat.at> wrote: > > Warren Kumari <war...@kumari.net> wrote: > > > > I don't think that it is realistic to deprecate SHA-1 in TSIG for the > > foreseeable future, but stronger recommendations about moving to > > SHA-256 might be in order. > > Yes. > > > There is already some text: > > For context, the preceding paragraph says: > > The only message digest algorithm specified in the first version of > these specifications [RFC2845] was "HMAC-MD5" (see [RFC1321], > [RFC2104]). Although a review of its security [RFC6151] concluded > that "it may not be urgent to remove HMAC-MD5 from the existing > protocols", with the availability of more secure alternatives the > opportunity has been taken to make the implementation of this > algorithm optional. > > > The use of SHA-1 [FIPS180-4], [RFC3174], (which is a 160-bit hash as > > compared to the 128 bits for MD5), and additional hash algorithms in > > the SHA family [FIPS180-4], [RFC3874], [RFC6234] with 224, 256, 384, > > and 512 bits may be preferred in some cases. This is because > > increasingly successful cryptanalytic attacks are being made on the > > shorter hashes. > > I think the quoted paragraph should say something like: > > [RFC4635] added mandatory support in TSIG for SHA-1 [FIPS180-4], > [RFC3174]. SHA-1 collisions have been demonstrated so the MD5 > security considerations apply to SHA-1 in a similar manner. > > Although support for hmac-sha1 in TSIG is still mandatory for > compatibility reasons, existing uses should be replaced with > hmac-sha256 or other SHA-2 digest algorithms [FIPS180-4], [RFC3874], > [RFC6234]. > > Tony.
Oooh. I like it - that seems to address both my, and (presumably!) Magnus' concerns -- anyone object / have any additions? W > -- > f.anthony.n.finch <d...@dotat.at> http://dotat.at/ > German Bight: West veering northwest 4 or 5. Slight or moderate. Occasional > drizzle. Good, occasionally poor. -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
