[Top] [All Lists]

Re: I-D ACTION:draft-ietf-smime-rfc2632bis-00.txt

2002-03-30 21:15:37

----- Original Message -----
From: "Housley, Russ" <rhousley(_at_)rsasecurity(_dot_)com>
To: "Blake Ramsdell" <blake(_at_)brutesquadlabs(_dot_)com>
Cc: <jimsch(_at_)exmsft(_dot_)com>; <ietf-smime(_at_)imc(_dot_)org>
Sent: Saturday, March 30, 2002 10:58 AM
Subject: Re: I-D ACTION:draft-ietf-smime-rfc2632bis-00.txt

I am fine with this approach.

In ipki-pkalgs there is the following language with regard to MD2:

At the Selected Areas in Cryptography '95 conference in May 1995,
Rogier and Chauvaud presented an attack on MD2 that can nearly find
collisions [RC95].  Collisions occur when one can find two different
messages that generate the same message digest.  A checksum operation
in MD2 is the only remaining obstacle to the success of the attack.
For this reason, the use of MD2 for new applications is discouraged.
It is still reasonable to use MD2 to verify existing signatures, as
the ability to find collisions in MD2 does not enable an attacker to
find new messages having a previously computed hash value.

[RC95]   Rogier, N. and Chauvaud, P., "The compression function of
         MD2 is not collision free," Presented at Selected Areas in
         Cryptography '95, May 1995.

I can copy this language and reference directly, unless it's sufficient to
say "there's an issue, go look at pkalgs for more information".