I think a published update to MD5 security considerations should clearly say
what it's still fine to do with MD5, in addition to what it's not safe to do.
This would mean adding a couple sentences, and that's about all it would really
take to be clear on the issue:
"Since RFC 1321 was published, MD5 found popular use in checksuming large file
transfers. This use of MD5 is still reasonable, as the level of collision
resistance is of less importance in this application and MD5 may be
significantly more efficient than cryptographically stronger algorithms.
Communications, networking, and storage systems prone to errors (e.g. due to
faulty hardware, drivers, bit-errors, faulty NAT/ALG algorithms, etc) do not
implement the known MD5 collision-finding algorithms, and MD5 remains highly
effective at detecting such errors."
Sent: Wednesday, December 08, 2010 6:33 PM
To: Eddy, Wesley M. (GRC-MS00)[ASRC AEROSPACE CORP]
Cc: L(_dot_)Wood(_at_)surrey(_dot_)ac(_dot_)uk; wes(_at_)mti-systems(_dot_)com;
Subject: Re: Last Call: <draft-turner-md5-seccon-update-07.txt> (Updated
Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms)
to Informational RFC
In your previous mail you wrote:
The logic doesn't make sense in this position. "Crypto modules
can't use MD5, thus no protocols at all should use MD5."
=> this is a silly/bad/... consequence of the crypto label
attached to the MD5 name. I understand you are not happy with
this but what do you propose?
PS: BTW I'd like to apply the argument only to *new* protocols.
Ietf mailing list