[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Dave Crocker
1. I can't guess what you interpreted as "frightening" in my
characterization.
All I did was note your own reference to a 5-year timeframe
and the lack of our having any details about what would be
chosen by then. As for vagueness, the lack of detail could
hardly be characterized otherwise.
Actually I think it is very clear what we will be using in 5 years time,
either what we are using today or the NSA suite B with the possible
replacement of the hash algorithm.
A better question would be 'do we know how to manage the trasition from
one algortihm to another'. That is what has never been effectively
acomplished in the field to date.
In other words, you think it appropriate to *require* that
all signers *always*
use SHA-256?
This would mean, for example, that support for the next,
preferred algorithm,
would require revising and re-issuing the specification.
This is actually a problem across all the IETF security specs and across
all the standards organizations. What we really need is a WG that
describes how to deploy a replacement crypto set across the board.
Having discussed this issue with the cryptographers the clear consensus
there is that the announced weaknesses in SHA-1 almost certainly affect
SHA-256 and that we should be looking for hash functions designed on
different principles rather than promoting SHA-256 as a cure.
Even with the known compromise SHA-1 is considerably stronger than the
RSA keys we are expecting to use. Break the hash and you may be able to
fake one bit in one document. Factoring the RSA key is less work and
allows you to sign any document you like.
It is not rational to be obsessing about SHA256 when we have bigger
problems with RSA. If it was not for the patent issues I would push for
ECC as per suite B.
_______________________________________________
NOTE WELL: This list operates according to
http://dkim.org/ietf-list-rules.html