Where in TLS (or even SSL v3) is MD2 used in a cipher suite? I
realize that it's in the document list for TLS 1.0. In RFC's 2459 and
3279 (11 and 8 years old) it gives OID's and says "the use of MD2 for new
applications is discouraged. It is still reasonable to use MD2 to verify
I also can't find any current MD2 intermediate certificates. You
are right that the signature of a root certificate is not a relevant
exercise of trust, since one trusts either the public key of the root
certificate or the content of the entire root certificate with the
signature no more relevant to a trust decision than any other field in it.
Simon Josefsson <simon(_at_)josefsson(_dot_)org>
Peter Gutmann <pgut001(_at_)cs(_dot_)auckland(_dot_)ac(_dot_)nz>
pkix(_at_)ietf(_dot_)org, cfrg(_at_)irtf(_dot_)org, saag(_at_)ietf(_dot_)org,
06/10/2010 10:19 AM
Re: [pkix] [Fwd: I-D ACTION:draft-turner-md2-to-historic-00.txt]
Peter Gutmann <pgut001(_at_)cs(_dot_)auckland(_dot_)ac(_dot_)nz> writes:
Simon Josefsson <simon(_at_)josefsson(_dot_)org> writes:
1) MD2 is not on the standards track, it is Informational. I agree with
wishes to move "poor" documents from the Standards Track to Historic,
but I'm not sure I see such a big difference between having a "poor"
document as Informational or Historic. Especially for a crypto
algorithm, which the IETF typically does not put on the standards
track at all. Is there some precedent for moving Informational to
It helps to have something like this formally retired so you have a
to point to when someone wants to use (or continue to use) MD2. Trying
explain to them the difference between "Informational" and "Standards
when their requirement is "must be specified in an RFC" isn't generally
Sure, but MD2 is not used in isolation, it is used in a protocol like
TLS, S/MIME, etc. Isn't it sufficient, even preferable, to move uses of
MD2 in these protocol to Historic? That would seem to carry much more
weight -- then people cannot continue to support MD2 in these protocol
and claim to be compliant with the latest specifications.
Note that there are other uses of MD2 that are still fine even if MD2 is
not collision resistant. Compare how rsync still uses MD4 for checksum
computations, and that won't stop it being a reasonable choice.
I'm mostly playing the devil's advocate here, and want to make sure we
consider the consequences before giving a flippant +1.
pkix mailing list
smime mailing list