-----Original Message----- From: Roman Danyliw <[email protected]> Sent: Monday, June 8, 2020 8:13 PM To: Jim Schaad <[email protected]>; 'Barry Leiba' <[email protected]>; 'The IESG' <[email protected]> Cc: 'Ivaylo Petrov' <[email protected]>; [email protected]; [email protected]; [email protected] Subject: RE: Barry Leiba's Yes on draft-ietf-cose-hash-algs-04: (with COMMENT)
Hi Jim! > -----Original Message----- > From: iesg <[email protected]> On Behalf Of Jim Schaad > Sent: Tuesday, June 2, 2020 3:17 PM > To: 'Barry Leiba' <[email protected]>; 'The IESG' > <[email protected]> > Cc: 'Ivaylo Petrov' <[email protected]>; [email protected]; > draft-ietf-cose-hash- [email protected]; [email protected] > Subject: RE: Barry Leiba's Yes on draft-ietf-cose-hash-algs-04: (with > COMMENT) > > > > -----Original Message----- > From: Barry Leiba via Datatracker <[email protected]> > Sent: Monday, June 1, 2020 9:33 PM > To: The IESG <[email protected]> > Cc: [email protected]; [email protected]; > [email protected]; Ivaylo Petrov <[email protected]>; [email protected] > Subject: Barry Leiba's Yes on draft-ietf-cose-hash-algs-04: (with > COMMENT) > > Barry Leiba has entered the following ballot position for > draft-ietf-cose-hash-algs-04: Yes > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut > this introductory paragraph, however.) > > > Please refer to > https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-cose-hash-algs/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- [snip] > The standard "Collision Attack" is one where an attacker can > find two different messages that have the same hash value. If a > collision attack exists, then the function SHOULD NOT be used for a > cryptographic purpose. > > I’m uncomfortable with having this document give a brief tutorial on > cryptographic hashing, as it has to be oversimplified... and it is. > If it’s going to stay, I’d like to see ar least one minor change, > though I’ll defer to the Sec ADs on this point: for any hash alg, it > is always possible to encounter a collision, and the text isn’t clear about > what “if a collision attack exists” > really means. I think it means not to use it if a collision attack is > practical, and maybe this is a better way to say it?: > > NEW > A "collision attack" is one where an attacker can > find two different messages that have the same hash value. A > hash function that is susceptible to collision attacks, SHOULD > NOT be used for cryptographic purposes. > END > > [JLS] Done. Given how fast we are at getting hash algorithms changed, > I don't know that the trigger I would use is that the attack is > practical. Just the ability to find a collision at all is the trigger > that we need to start changing the hash algorithms we are using. > People have talked about SHA-1 collisions for the last twenty years, > but only in the last two have they become practical. Should we be suggesting > the SHOULD earlier than 2017? Perhaps we simply state the guiding design principal. Say: A "collision attack" is one where an attacker can find two different messages that have the same hash value. A hash function that is susceptible to practical collision attacks SHOULD NOT be used for cryptographic purposes. The discovery of theoretical collision attacks against a given hash function SHOULD trigger a review of the continued suitability of the algorithm if alternatives are available and migration is viable. [JLS] That makes sense. Regards, Roman _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
