At 22:18 -0800 12/26/05, Wes Hardaker wrote:
On Mon, 26 Dec 2005 23:36:41 -0500, David Blacka <davidb@verisignlabs.com> said:David> The use of MUST means that, if an implementation doesn't do the David> thing, something Will Not Work. All of this language is about David> preferring SHA-256 to SHA-1. This is a Good Idea, but none of this David> is necessary for interoperability. Thus, SHOULD or RECOMMENDED is David> the appropriate level for the entire paragraph. There is a really large number of RFCs that have MUSTs for security related things. That's because without them, security Will Not Work (which then affects interoperability). IMHO, it should stay as a MUST. But... I of course will follow the consensus of the group. Though in this case I think we're not that close to the point where an attack is actually executable against SHA-1...
I agree with David.The action of validation isn't an interoperability question. Either a node will do its own or it will be blindly reliant on another to perform the function (that whole AD bit issue).
I cringe when I hear "security will not work" because I have never once heard from a seasoned security practioner "if you do things this way, you will be secure." After spending a lot of time around security people, I have come to believe that security is "the goal that can not be achieved, no matter how much one works at it." I wouldn't be surprised if, in 5 years, I hear that SHA-256 is beaten and now SHA-1 is more secure.
Ultimately, I think it is a mistake for any protocol defining document or algorithm defining document to ever make a MUST out of its use or to make statements about the algorithm's "rank" amongst its peers. Whether the subject of a document is in force should be left to an operational profile document. Profiles are much easier to alter, say, to remove the broken SHA-256 when the time comes and replace it with SHA-256-and-a-half if the definitions for those two stick just to their definition.
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar 3 months to the next trip. I guess it's finally time to settle down and find a grocery store. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>