RE: ecc-subpubkeyinfo draft question: fate of MD-2 and MD-5
Turner, Sean P. <turners <at> ieca.com>
2008-10-01 21:29:31 GMT
We could put something like the following in the security considerations
Cryptographic algorithms will be broken or weakened over time. Implementers
and users need to check that the cryptographic algorithms listed in this
document continue to provide the expected level of security. For example,
some consider MD2 and MD5 weak cryptographic algorithms due to collisions
[RC95] and [YU05], repsectively.
Informative references (found this in old RFCs and on web):
[RC95] Rogier, N. and P. Chauvaud, "The compression function of MD2 is not
collision free," Presented at Selected Areas in Cryptography '95, May 1995.
[XY05] Wang, X., and H. Yu, "How to Break MD2 and Other Hash Functions",
EUROCRYPT 2005, LNCS 3494, pp. 1935, 2005.
>From: owner-ietf-pkix <at> mail.imc.org
>[mailto:owner-ietf-pkix <at> mail.imc.org] On Behalf Of Russ Housley
>Sent: Tuesday, September 30, 2008 5:23 PM
>To: Jim Schaad; 'Alfred HÎnes'; ietf-pkix <at> imc.org
>Subject: RE: ecc-subpubkeyinfo draft question: fate of MD-2 and MD-5
>There was a long discussion a few years ago, and the PKIX WG
>decided that the various applications that make use of
>certificate should select the mandatory to implement
>algorithms. In this way, the algorithms in the protocol and
>in the certificates can be aligned.
>At 03:17 PM 9/30/2008, Jim Schaad wrote:
>>That is an interesting question. I don't believe that there
>>been any required algorithms for PKIX certificates as defined by the
>>PKIX working group. You have documents such as the S/MIME
>>draft which says you need to use these algorithms for S/MIME
>type certificates instead.
>>I think that it would make sense to put a section into the security
>>considerations that make statements about what we consider to be the
>>suitability of other groups adopting these algorithms. I
>>believe we can actually call these algorithms depreciated however.
>> > -----Original Message-----
>> > From: owner-ietf-pkix <at> mail.imc.org [mailto:owner-
>> > pkix <at> mail.imc.org] On Behalf Of Alfred HÎnes
>> > Sent: Sunday, September 28, 2008 7:08 PM
>> > To: ietf-pkix <at> imc.org
>> > Subject: ecc-subpubkeyinfo draft question: fate of MD-2 and MD-5
>> > Folks,
>> > the current version of draft-ietf-pkix-ecc-subpubkeyinfo contains
>> > unqualified ASN.1 definitions for the digest algorithms MD-2 and
>> > MD-5, as well as for RSA with MD-2 and MD-5.
>> > Other WGs already have deprecated MD-2 and/or MD-5 and/or
>are in the
>> > process of deprecating these older hash functions (generally
>> > believed to be insecure today), for use in the protocols
>> > So the question arises what to do with these old algorithms in the
>> > context of PKIX in general, and in particular in the above draft.
>> > I see four possible options:
>> > A) leave the draft unchanged
>> > B) leave the related ASN.1 definitions intact,
>> > but add ASN.1 comments ' -- DEPRECATED'
>> > C) keep the related ASN.1 definitions in the document
>> > for the purpose of documentation and historical record,
>> > but comment them out and add the above note
>> > D) remove he related ASN.1 from the new/upated ASN.1
>> > modules in Appendix A.2 and Appendix A.4 of the draft
>> > This question should be decided upon (almost independently):
>> > (1) for MD-2 and RSA with MD-2 ... choices (1A), ... (1D)
>> > and
>> > (2) for MD-5 and RSA with MD-5 ... choices (2A), ... (2D)
>> > Any opinions?
>> > Please indicate support for
>> > - one of: (1A) / (1B) / (1C) / (1D)
>> > - and one of: (2A) / (2B) / (2C) / (2D)
>> > Kind regards,
>> > Alfred.
>> > P.S.: My personal preference is (1C) + (2B) .
>> > --
>> > | TR-Sys Alfred Hoenes | Alfred Hoenes Dipl.-Math.,
>> > | Gerlinger Strasse 12 | Phone: (+49)7156/9635-0, Fax:
>> > | D-71254 Ditzingen | E-Mail: ah <at> TR-Sys.de