[Top] [All Lists]

Re: [smime] [pkix] [Fwd: I-D ACTION:draft-turner-md2-to-historic-00.txt]

2010-06-14 22:03:49
        Where in TLS (or even SSL v3) is MD2 used in a cipher suite?  I 
realize that it's in the document list for TLS 1.0.  In RFC's 2459 and 
3279 (11 and 8 years old) it gives OID's and says "the use of MD2 for new 
applications is discouraged.  It is still reasonable to use MD2 to verify 
existing signatures".
        I also can't find any current MD2 intermediate certificates.  You 
are right that the signature of a root certificate is not a relevant 
exercise of trust, since one trusts either the public key of the root 
certificate or the content of the entire root certificate with the 
signature no more relevant to a trust decision than any other field in it.

                Tom Gindin

Simon Josefsson <simon(_at_)josefsson(_dot_)org>
Peter Gutmann <pgut001(_at_)cs(_dot_)auckland(_dot_)ac(_dot_)nz>
pkix(_at_)ietf(_dot_)org, cfrg(_at_)irtf(_dot_)org, saag(_at_)ietf(_dot_)org, 
06/10/2010 10:19 AM
Re: [pkix] [Fwd: I-D ACTION:draft-turner-md2-to-historic-00.txt]
Sent by:

Peter Gutmann <pgut001(_at_)cs(_dot_)auckland(_dot_)ac(_dot_)nz> writes:

Simon Josefsson <simon(_at_)josefsson(_dot_)org> writes:

1) MD2 is not on the standards track, it is Informational.  I agree with
  wishes to move "poor" documents from the Standards Track to Historic,
  but I'm not sure I see such a big difference between having a "poor"
  document as Informational or Historic.  Especially for a crypto
  algorithm, which the IETF typically does not put on the standards
  track at all.  Is there some precedent for moving Informational to

It helps to have something like this formally retired so you have a 
to point to when someone wants to use (or continue to use) MD2.  Trying 
explain to them the difference between "Informational" and "Standards 
when their requirement is "must be specified in an RFC" isn't generally

Sure, but MD2 is not used in isolation, it is used in a protocol like
TLS, S/MIME, etc.  Isn't it sufficient, even preferable, to move uses of
MD2 in these protocol to Historic?  That would seem to carry much more
weight -- then people cannot continue to support MD2 in these protocol
and claim to be compliant with the latest specifications.

Note that there are other uses of MD2 that are still fine even if MD2 is
not collision resistant.  Compare how rsync still uses MD4 for checksum
computations, and that won't stop it being a reasonable choice.

I'm mostly playing the devil's advocate here, and want to make sure we
consider the consequences before giving a flippant +1.

pkix mailing list

smime mailing list