+1 - new specifications should definitely not be using MD5, and the SHA-2 hashes are preferable to SHA-1.
A useful related reference is NIST SP 800-131A: http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf Thanks, --David From: nvo3 [mailto:[email protected]] On Behalf Of Truman Boyes Sent: Friday, December 06, 2013 3:31 PM To: Melinda Shore Cc: [email protected] Subject: Re: [nvo3] comments on nvo3 security requirements draft I would recommend against suggesting MD5 as the hashing technology in a text to be used for future development. If necessary to describe the technology, I would recommend SHA-256(sha2) or SHA-512. This would not have the same issues of collisions as MD5 currently does. On Thu, Dec 5, 2013 at 8:55 PM, Melinda Shore <[email protected]<mailto:[email protected]>> wrote: On 12/5/13 3:50 PM, ramki Krishnan wrote: >>>REQ2: (Page 8) > This should recommend some authorization mechanisms such as md5 checksum. I agree with your other suggestions, but 1) I don't think a requirements document should be making specific technology recommendations, and 2) md5 provides some assurances about message integrity, but really has nothing to say about policy. In rereading the requirement I think it's actually not as clear as it could be although I think its intent is absolutely correct. I'd probably change the text to something along the lines of: "Before accepting a control packet, the device receiving the packet MUST verify that the device sending the request is authorized to make that request. This is a policy decision." Melinda _______________________________________________ nvo3 mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/nvo3
_______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
