ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: I-D ACTION:draft-ietf-smime-rfc2632bis-00.txt

2002-04-05 09:03:55
from [Housley, Russ] [Permanent Link] 

Jim:

I have no problem with:
        MUST SHA-1
        SHOULD MD5
        MAY MD2

Russ


At 07:34 PM 4/4/2002 -0800, Jim Schaad wrote:

Gentlemen,

I have been thinking about what the problem with this response it, I
cannot explain it very well to my standard IT manager.

One one hand we are saying - MD2 is so bad that you should never use it
for generating signatures on S/MIME messages or certificates to be used
with validating S/MIME purposed certificates. (MUST NOT)

On the other hand we are saying - If you find a certificate with MD2 in
it, you really need to validate it.  We lied, there are not really any
problems with it.

The difference in approaches between Blake and me boil down to the fact
that I am writing a security document on what you really ought to do,
and Blake is creating an interopablity document describing how the real
world operates and what you need to do to survive there.  Given that
this is an IETF document, I believe that correctness is the primary
importance and compatability with the real world a secondary
consideration.  I would rather say nothing about MD2 except it exists
and there are potential problems (that we believe could lead to
incorrect validation) however I can accept MAY rather than SHOULD for
this along with the scary warning text in the security considerations.

jim

> -----Original Message-----
> From: Housley, Russ [mailto:rhousley(_at_)rsasecurity(_dot_)com]
> Sent: Saturday, March 30, 2002 10:59 AM
> To: Blake Ramsdell
> Cc: jimsch(_at_)exmsft(_dot_)com; ietf-smime(_at_)imc(_dot_)org
> Subject: Re: I-D ACTION:draft-ietf-smime-rfc2632bis-00.txt
>
>
> Blake:
>
> I am fine with this approach.
>
> Russ
>
>
> At 03:55 PM 3/29/2002 -0800, Blake Ramsdell wrote:
> >----- Original Message -----
> >From: "Housley, Russ" <rhousley(_at_)rsasecurity(_dot_)com>
> >To: <jimsch(_at_)exmsft(_dot_)com>
> >Cc: "'Blake Ramsdell'" <blake(_at_)brutesquadlabs(_dot_)com>;
> <ietf-smime(_at_)imc(_dot_)org>
> >Sent: Friday, March 29, 2002 1:57 PM
> >Subject: RE: I-D ACTION:draft-ietf-smime-rfc2632bis-00.txt
> >
> >
> > > I think that we should include is as a MAY for
> validation.  I do not think
> > > that anyone should generate new certificates that use MD2.
> >
> >My opinion is we should say SHOULD verify, and MUST NOT
> generate, perhaps
> >mentioning the known issues with MD2 in the security considerations.
> >
> >Blake
>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: I-D ACTION:draft-ietf-smime-rfc2632bis-00.txt, Jim Schaad
Next by Date:  a basic question, Pradeep, PK
Previous by Thread:  RE: I-D ACTION:draft-ietf-smime-rfc2632bis-00.txt, Jim Schaad
Next by Thread:  a basic question, Pradeep, PK
Indexes:  [Date] [Thread] [Top] [All Lists]