On Tue, Jan 12, 2016 at 3:42 AM, Dave Garrett <davemgarr...@gmail.com> wrote: > On Monday, January 11, 2016 06:13:37 pm Tony Arcieri wrote: >> My understanding is TLS 1.2 specifically was amended to allow MD5 >> signatures even though this was not the case in previous TLS versions, or >> at least that was the claim of the miTLS presenters on SLOTH at >> RealWorldCrypto 2016. >> >> If this is the case, this seems like a big regression in TLS 1.2. > > I'd like to propose killing the low hanging fruit first, and then continue to > build on top of that. > > No sane person disputes that MD5 needs to be eradicated ASAP. We're keeping > MD5||SHA1 in old TLS for compatibility and we are well aware that needs to go > eventually too. Thus, I suggest we publish an MD5 diediedie standards track > RFC to prohibit ALL standalone MD5 use in ALL IETF protocols/standards. > Constructions using MD5 with something else (namely MD5||SHA1) would also be > explicitly recommended against in existing specifications, and explicitly > prohibited in all new drafts (even if unlikely). > > Also, when I say "prohibited" here, I mean _completely_. No MD5 function > should remain in the relevant codebase; if MD5||SHA1 support is continued, > there should be one function that does only that without any way to get a > plain MD5 hash. (and no "it's fine for this" junk; non-broken hashes are also > fine for that, and if you're wrong, it's safer) There are too many > implementation bugs in this realm to not state this explicitly [0]. >
I completely agree. At least one open source SSL/TLS implementation is looking at purging their code of MD5 functions. > Note that continued support of trust anchors with MD5 hashes is not dependent > on this, as we've already agreed they don't need to be validated. (they need > to be phased out, but with less urgency) If used within this specific > context, nothing even needs the ability to understand MD5 hashes at all in > order to handle these; the certificate as a whole is trusted or not. > > > Dave > > > PS > To whomever came up with the "diediedie" term, thank you. ;) > > > [0] Note the 3 disabled-but-accepted bugs listed here: > https://www.mitls.org/pages/attacks/SLOTH#disclosure > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
