IETF Logo Mail Archive

Re: [http-auth] draft-ietf-httpauth-digest-update and SHA-3

Yoav Nir <ynir@checkpoint.com> Sun, 07 July 2013 16:14 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E29221F8ECB for <http-auth@ietfa.amsl.com>; Sun, 7 Jul 2013 09:14:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.535
X-Spam-Level:
X-Spam-Status: No, score=-10.535 tagged_above=-999 required=5 tests=[AWL=0.064, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZiAz9NV2YQ35 for <http-auth@ietfa.amsl.com>; Sun, 7 Jul 2013 09:14:53 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 4379021F8B8B for <http-auth@ietf.org>; Sun, 7 Jul 2013 09:14:53 -0700 (PDT)
Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r67GEqLI018135 for <http-auth@ietf.org>; Sun, 7 Jul 2013 19:14:52 +0300
X-CheckPoint: {51D993FC-0-1B221DC2-1FFFF}
Received: from DAG-EX10.ad.checkpoint.com ([169.254.3.48]) by IL-EX10.ad.checkpoint.com ([169.254.2.91]) with mapi id 14.02.0342.003; Sun, 7 Jul 2013 19:14:51 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: "http-auth@ietf.org" <http-auth@ietf.org>
Thread-Topic: [http-auth] draft-ietf-httpauth-digest-update and SHA-3
Thread-Index: AQHOeZItOyP0ZMM/I0qnJaYgM96yh5lWIBCAgAAGPoCAACKbgIAADaEAgAAJPgCAACRKgIAATyMAgAAJ0ICAALGHgIAABDcAgAAEjYCAABIKgIAAA7KAgAAEnYCAAAL8AIABUHUAgAAWVgCAAAH5AIAAEkeAgAAFFQA=
Date: Sun, 07 Jul 2013 16:14:51 +0000
Message-ID: <B9B8548D-2B50-4936-8806-1E7F38724889@checkpoint.com>
References: <1B87C63A-5E7A-4FEB-B995-B736E229CEE7@vpnc.org> <CAGL6epJ9NypDi+QAJVWp_wDBmiCYa77YY5TdrGkbB-noF6rQ-w@mail.gmail.com> <B8CA2A20-AB0C-4D0D-B511-B5CEF69FFA3C@vpnc.org> <51D7209F.5090600@gmail.com> <6F2D0290-5A81-4121-A768-F81BC67DD122@checkpoint.com> <51D733CE.1090009@gmail.com> <CAGL6epKYxXSYrjY3F8by2SJzj47reSxLvEq_4Knx10o+eKA-rQ@mail.gmail.com> <F01978FE-E181-4905-88D8-8DC800BC280E@checkpoint.com> <51D79CDD.7020201@it.aoyama.ac.jp> <73CDEB14-35F4-412F-A110-042626473BF6@vpnc.org> <2622773E-5D8C-40A9-8EB2-AA769EF5BEF1@checkpoint.com> <17ED77E7-FBC7-4980-B79B-B2A61D0AD85B@vpnc.org> <CAGL6epLZXf3pd+hPAyv7zF+M_nypz3J1eKyAjPwH5hxgu7J7hg@mail.gmail.com> <51D84B5F.2070802@gmail.com> <B329F106-483A-42E6-887F-A75947E8597B@vpnc.org> <CAGL6epKzKP_0WfBHBqmTzmqUPVy2CMVi3k32UAAUa8FMUaoWaw@mail.gmail.com> <CAGL6ep++YGdep6BU+XsZxjRND2HqfE5RGc2vA-i-xkzSNvbK3w@mail.gmail.com> <3E34AC26-A4E7-496C-BB59-2E2493367956@vpnc.org> <51D98060.8070907@gmail.com> <AD9CD723-78D6-47D1-AC27-BD5ACBF02BC3@checkpoint.com>
In-Reply-To: <AD9CD723-78D6-47D1-AC27-BD5ACBF02BC3@checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.21.21]
x-kse-antivirus-interceptor-info: protection disabled
x-cpdlp: 11437bf8b95adfa2cb8ec09a4259b05fd990bf708a
Content-Type: text/plain; charset="us-ascii"
Content-ID: <EF794172D675D948A45F51348B43A368@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [http-auth] draft-ietf-httpauth-digest-update and SHA-3
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Jul 2013 16:14:58 -0000

Aargh. What I tell you three times is true?

Sorry about that.

Yoav

On Jul 7, 2013, at 6:56 PM, Yoav Nir <ynir@checkpoint.com> wrote:

> [with implementer hat on]
> 
> My implementation has it, although this makes little difference as it's not a public library.
> 
> OIDs are already defined for this algorithm (2.16.840.1.101.3.4.2.6 and 1.2.840.113549.1.1.16) but I'm not aware of anyone issuing certificates with it.
> 
> We could define a simple truncation of SHA2-512 ourselves, but I guess there was some method behind defining it a little differently. Anyone know?
> 
> Yoav
> 
> On Jul 7, 2013, at 5:51 PM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:
> 
>> Hi,
>> 
>> The draft mistakenly cites FIPS 186, rather than FIPS 180, for SHA2.
>> 
>> The correct notation is "SHA-512/256".
>> 
>> And most worryingly, reading Sec. 5.3.6 of the FIPS pub, I wonder if common implementations of SHA2 support this algorithm, which is *not* the naive truncation that I expected it to be.
>> 
>> Thanks,
>> 	Yaron
>> 
>> On 2013-07-07 17:44, Paul Hoffman wrote:
>>> On Jul 7, 2013, at 6:24 AM, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> wrote:
>>> 
>>>> I have just submitted a new version of the draft that removes SHA3 as a back algorithm and uses SHA2-512/256 instead. The draft also mentions that a future version might add SHA3 as a backup algorithm.
>>>> https://datatracker.ietf.org/doc/draft-ietf-httpauth-digest-update/
>>>> 
>>>> Please, review the new draft and let me know if you have any further comments.
>>> 
>>> This looks very good. We need a reference for SHA-512-256, but I think I remember that NIST already has one.
>>> 
>>> --Paul Hoffman
> 
> _______________________________________________
> http-auth mailing list
> http-auth@ietf.org
> https://www.ietf.org/mailman/listinfo/http-auth

v2.23.0 | Report a Bug | By Email