On Monday, January 11, 2016 06:13:37 pm Tony Arcieri wrote: > My understanding is TLS 1.2 specifically was amended to allow MD5 > signatures even though this was not the case in previous TLS versions, or > at least that was the claim of the miTLS presenters on SLOTH at > RealWorldCrypto 2016. > > If this is the case, this seems like a big regression in TLS 1.2.
I'd like to propose killing the low hanging fruit first, and then continue to build on top of that. No sane person disputes that MD5 needs to be eradicated ASAP. We're keeping MD5||SHA1 in old TLS for compatibility and we are well aware that needs to go eventually too. Thus, I suggest we publish an MD5 diediedie standards track RFC to prohibit ALL standalone MD5 use in ALL IETF protocols/standards. Constructions using MD5 with something else (namely MD5||SHA1) would also be explicitly recommended against in existing specifications, and explicitly prohibited in all new drafts (even if unlikely). Also, when I say "prohibited" here, I mean _completely_. No MD5 function should remain in the relevant codebase; if MD5||SHA1 support is continued, there should be one function that does only that without any way to get a plain MD5 hash. (and no "it's fine for this" junk; non-broken hashes are also fine for that, and if you're wrong, it's safer) There are too many implementation bugs in this realm to not state this explicitly [0]. Note that continued support of trust anchors with MD5 hashes is not dependent on this, as we've already agreed they don't need to be validated. (they need to be phased out, but with less urgency) If used within this specific context, nothing even needs the ability to understand MD5 hashes at all in order to handle these; the certificate as a whole is trusted or not. Dave PS To whomever came up with the "diediedie" term, thank you. ;) [0] Note the 3 disabled-but-accepted bugs listed here: https://www.mitls.org/pages/attacks/SLOTH#disclosure _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
