ietf
[Top] [All Lists]

RE: Last Call: <draft-turner-md5-seccon-update-07.txt> (Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms) to Informational RFC

2010-12-21 11:59:40
That looks good to me.

--
Wes Eddy
MTI Systems


-----Original Message-----
From: Sean Turner [mailto:turners(_at_)ieca(_dot_)com]
Sent: Tuesday, December 21, 2010 12:14 PM
To: Eddy, Wesley M. (GRC-MS00)[ASRC AEROSPACE CORP]
Cc: Francis Dupont; wes(_at_)mti-systems(_dot_)com; iesg(_at_)ietf(_dot_)org;
L(_dot_)Wood(_at_)surrey(_dot_)ac(_dot_)uk; ietf(_at_)ietf(_dot_)org; Sam 
Hartman
Subject: Re: Last Call: <draft-turner-md5-seccon-update-07.txt> (Updated
Security Considerations for the MD5 Message-Digest and the HMAC-MD5
Algorithms) to Informational RFC

Wes,

I'm sympathetic to your concern, but I also think we need to specify
that this particular use needs to be "in-line" with the protocol (as
noted by Sam). How about the following changes in the introduction:

OLD:

[HASH-Attack] summarizes the use of hashes in many protocols and
discusses how attacks against a message digest algorithm's one-way
and collision-free properties affect and do not affect Internet
protocols.  Familiarity with [HASH-Attack] is assumed.

NEW:

[HASH-Attack] summarizes the use of hashes in many protocols and
discusses how attacks against a message digest algorithm's one-way
and collision-free properties affect and do not affect Internet
protocols.  Familiarity with [HASH-Attack] is assumed.  One of the
uses of message digest algorithms in [HMAC-Attack] was integrity
protection.  Where the MD5 checksum is used inline with the
protocol solely to protect against errors an MD5 checksum is still
an acceptable use.  Applications and protocols need to clearly
state in their security considerations what security services, if
any, are expected from the MD5 checksum.  In fact, any application
and protocol that employs MD5 needs to clearly state the expected
security services from their use of MD5.

spt

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>