On Mon, Jan 11, 2016 at 10:42:45PM -0500, Dave Garrett wrote:
> No sane person disputes that MD5 needs to be eradicated ASAP. We're keeping
> MD5||SHA1 in old TLS for compatibility and we are well aware that needs
> to go eventually too. Thus, I suggest we publish an MD5 diediedie standards
> track RFC to prohibit ALL standalone MD5 use in ALL IETF
> protocols/standards.
With some exceptions, for example:
* As you note in your last comment, X.509 self-signatures via
MD5 may continue to be ignored, once MD5 is "banned" in the same
way that they should have been ignored before it was "banned".
* S/MIME parsers may continue to parse old S/MIME messages with
MD/5 signatures. More generally, Encrypted data at rest may
need support for MD5 for the lifetime of the data (until
re-encrypted, ...).
* PEM files holding RSA private encrypted keys may continue
to use the legacy MD5-based KDF so that the keys can be
decrypted.
> Also, when I say "prohibited" here, I mean _completely_.
There is no Internet police, and the IETF does not get to prohibit
the use of MD5, we only get to write protocol standards.
> No MD5 function should remain in the relevant codebase;
In particular the IETF does not get to tell anyone which functions
they get to include in their codebase. So no IETF document saying
such a thing makes much difference.
> if MD5||SHA1 support is continued,
> there should be one function that does only that without any way to get
> a plain MD5 hash.
This turns out to be a good idea anyway, thus, for example, OpenSSL
1.1.0-apha2 just recently added an EVP_md5_sha1() hash function.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
