Various comments from various people (please excuse the lost
attributions):
I can see not using MD5 as a secure hash, but for generating a token?
I don't see a problem with acceptance
The problem with acceptance in government circles is a legal one. They are
required not to use MD5. There is no practical weakness in MD5. The reason
for dropping it as the default cryptosystem is purely political.
The problem is that the weakness was identified ten years ago. If you use
Md5 in an algorithm the crypto protocols community immediately start
thinking 'this guy is a hick'. They also have to work out if the known
weaknesses of MD5 will affect the outcome.
The professional cryptographers here have no trouble with using MD5. It
made no difference to them whether we used that or SHA1. SHA1 was
recommended to me for purely political reasons. I am waiting for responses
from others in the group.
* Crypto algorithms to become pluggable.
I'll have to think on this one. Pluggable crypto is not an unalloyed good.
You can end up with downgrade attacks where you end up with your security
being set by the weakest algorithm.
Anyone who chooses a weak algorithm (e.g. RC4!) may become an open relay.
This does not affect anyone else on the network, since mail from open
relays may be dropped on principle. The default setup must be secure. The
provided options must all be secure. Anyone who adds a new crypto system
on their own remains on their own.
private key size. You shouldn't leak what crypto system you have
chosen to use in your SRS system any more than you should leak any of
your private key.
The choice of crypto system is always assumed public. The key is the only
secret.
* HMAC/SHA1 to become the configurable default.
I think this is overkill. In particular, I think a much larger
problem with acceptance of SRS is the cpu requirements to verify the
validity of an SRS address. You don't want to bog down an MTA by
simply sending lots of SRS checks, this would be a DoS attack.
I can perform 100,000 HMAC SHA1 encryptions in Perl on my desktop PC in
1.4 seconds. In C, the performance will double or treble. This really
isn't the bottleneck.
The only question is about hash length in relation to the 64 bit limit.
So far, I have been made aware of one system which suffers from this
limit, the Cisco PIX firewall MailGuard system. What others are there?
This appears to be the only remaining outstanding question with SRS. What
is the impact of this limit, and what can we do about it?
S.
--
Shevek http://www.anarres.org/
I am the Borg. http://www.gothnicity.org/