On Tuesday 12 January 2016 05:32:08 Viktor Dukhovni wrote: > On Mon, Jan 11, 2016 at 10:42:45PM -0500, Dave Garrett wrote: > > No sane person disputes that MD5 needs to be eradicated ASAP. We're > > keeping MD5||SHA1 in old TLS for compatibility and we are well > > aware that needs to go eventually too. Thus, I suggest we publish > > an MD5 diediedie standards track RFC to prohibit ALL standalone MD5 > > use in ALL IETF > > protocols/standards. > > With some exceptions, for example: > > * As you note in your last comment, X.509 self-signatures via > MD5 may continue to be ignored, once MD5 is "banned" in the same > way that they should have been ignored before it was "banned". > > * S/MIME parsers may continue to parse old S/MIME messages with > MD/5 signatures. More generally, Encrypted data at rest may > need support for MD5 for the lifetime of the data (until > re-encrypted, ...).
in case of digital signatures, that means "lifetime of the data", you can't expect them being possible to re-sign so it must not completely forbid use of MD-5 in implementations of stuff like PAdES-A. Though it should strongly recommend allowing its use in only *very* specific circumstances. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
