Re: Gen-ART LC Review of draft-ietf-sasl-scram-07

From: Nicolas Williams <Nicolas.Williams at sun.com>
To: Alexey Melnikov <alexey.melnikov at isode.com>
Cc: simon at josefsson.org, IETF-Discussion list <ietf at ietf.org>, General Area Review Team <gen-art at ietf.org>, ams at oryx.com, Chris Newman <Chris.Newman at sun.com>, tlyu at mit.edu
Date: Fri, 2 Oct 2009 15:59:21 -0500
In-reply-to: <20091002181726.GE887 at Sun.COM>
References: <158DDD3E-C686-43EC-8E8D-C8F844735490 at estacado.net> <29d3c4cb0910021014y68a0547r264ec3d18230551 at mail.gmail.com> <20091002181726.GE887 at Sun.COM>

On Fri, Oct 02, 2009 at 01:17:26PM -0500, Nicolas Williams wrote:
> On Fri, Oct 02, 2009 at 06:14:47PM +0100, Alexey Melnikov wrote:
> > On Thu, Sep 24, 2009 at 2:22 AM, Ben Campbell <ben at estacado.net> wrote:
> > > I'm no crypto expert, so please forgive me if this is silly--but isn't there
> > > a movement to phase out sha-1? If so, should that be the default "must
> > > implement" hash for a new mechanism?
> > 
> > My understanding is that use of SHA-1 under HMAC is still considered reasonable.
> > The WG debated at length use of SHA-1 versa use of SHA-256, etc. and decided
> > to proceed with SHA-1, because it is more frequently implemented in libraries
> > and hardware.
> 
> This matter has come up elsewhere, such as in the KRB-WG.  NIST has not
> obsoleted the use of HMAC-SHA-1, though I don't have a reference handy
> at the moment (but a quick search of the KRB-WG mailing list and, maybe,
> the krbdev at mit.edu list should yield one).

http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html

"After 2010, Federal agencies may use SHA-1 only for the following
applications: hash-based message authentication codes (HMACs); key
derivation functions (KDFs); and random number generators (RNGs).
Regardless of use, NIST encourages application and protocol designers to
use the SHA-2 family of hash functions for all new applications and
protocols."

Nico
--

References:
- Gen-ART LC Review of draft-ietf-sasl-scram-07
  - From: Ben Campbell
- Re: Gen-ART LC Review of draft-ietf-sasl-scram-07
  - From: Alexey Melnikov
- Re: Gen-ART LC Review of draft-ietf-sasl-scram-07
  - From: Nicolas Williams

Prev by Date: Re: [Gen-art] Followup on Gen-ART review of draft-ietf-mext-binding-revocation (was Re: Gen-ART LC and Telechat Review of draft-ietf-mext-binding-revocation-10)
Next by Date: Results of Venue Contract Survey
Previous by thread: Re: Gen-ART LC Review of draft-ietf-sasl-scram-07
Next by thread: Re: Gen-ART LC Review of draft-ietf-sasl-scram-07
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: Gen-ART LC Review of draft-ietf-sasl-scram-07

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.