On Tuesday, January 12, 2016 12:32:08 am Viktor Dukhovni wrote: > > Also, when I say "prohibited" here, I mean _completely_. > > There is no Internet police, and the IETF does not get to prohibit > the use of MD5, we only get to write protocol standards.
Of course, but the IETF can state that MD5 is not considered secure, must not be used in any of its old specifications (I do agree that a short list of exceptions will be needed), and put forth a set of basic requirements to continue to use IETF specifications with any intent of considering them even slightly secure. The IETF can't directly enforce this, but plenty of organizations do take this sort of thing seriously, even if others ignore it completely. I would hope that lawyers that wish to reduce their companies' liability for ever-frequent data breaches might pay attention when a primary standards body officially disavows things they're still using as insecure. > > No MD5 function should remain in the relevant codebase; > > In particular the IETF does not get to tell anyone which functions > they get to include in their codebase. So no IETF document saying > such a thing makes much difference. It's not a list of demands; it's basic specifications maintenance. It's just a matter of stating what's necessary to avoid well-known security problems when using IETF specs. We know it's a problem and should say so, loudly, on the standards track, as we are well aware that obsolete standards are still in regular use and are dangerous unless their implementations are properly handling all issues discovered since initial release. I am of course aware that the IETF doesn't like to wade into implementation issues in this kind of detail, but just blaming implementations for screw ups isn't an answer. We should be reliably telling implementors what's needed to avoid them. The disabled-but-accepted nonsense is a common enough high-risk issue that comes up way too often, and not prominently specifying how to deal with it is irresponsible. An argument could be made for coding/API safety issues like this being in a separate BCP RFC, especially if we actually wanted to cover other things like this, but that's a much larger proposal than what I'm currently talking about. > > if MD5||SHA1 support is continued, > > there should be one function that does only that without any way to get > > a plain MD5 hash. > > This turns out to be a good idea anyway, thus, for example, OpenSSL > 1.1.0-apha2 just recently added an EVP_md5_sha1() hash function. Ah, good to hear. Thanks for the info. Dave _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
