Sean Turner <turners(_at_)ieca(_dot_)com> writes:
(apologies if you get this multiple times)
I'm looking for feedback on this draft that proposes moving MD2 to
historic status.
In general I support this: MD2 should simply not be used.
However I see two concerns:
1) MD2 is not on the standards track, it is Informational. I agree with
wishes to move "poor" documents from the Standards Track to Historic,
but I'm not sure I see such a big difference between having a "poor"
document as Informational or Historic. Especially for a crypto
algorithm, which the IETF typically does not put on the standards
track at all. Is there some precedent for moving Informational to
Historic?
2) MD2 is still used. In GnuTLS I recall _adding_ support for MD2 as
recently as (according to NEWS logs) in 2005. If I recall correctly,
some Verisign root certificates are MD2. Note that in GnuTLS,
verifying a certificate involving a MD2 digital signature will fail
because MD2 is insecure, but the algorithm is still implemented and
supported.
Thus the text in your document "many TLS implementations, OpenSSL,
Network Security Services, and GNUTLS, have disabled support for MD2"
may not be the entire story. GnuTLS "supports" MD2 even though it
does not consider it secure. I can't speak for OpenSSL or NSS, but I
suspect they implement MD2 too and can verify such digital hashes,
even if they don't consider them secure.
Even if these concerns cannot be fully addressed, I would likely still
support this document though. So they are "soft" concerns for me.
/Simon
_______________________________________________
smime mailing list
smime(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/smime