Date: Sun, 04 Jan 2009 09:22:06 +0200
From: Hank Nussbacher <hank@efes.iucc.ac.il>>
>>You mean like for BGP neighbors? Wanna suggest an alternative?
>
>Well, most likely MD5 is better than the alterantive today which is to run
>no authentication/encryption at all.
>
>But we should push whoever is developing these standards to go for SHA-1
>or equivalent instead of MD5 in the longer term.Who is working on this? I don't find anything here:
http://www.ietf.org/html.charters/idr-charter.htmlAll I can find is:
http://www.ietf.org/rfc/rfc2385.txt
http://www.ietf.org/rfc/rfc3562.txt
http://www.ietf.org/rfc/rfc4278.txtNothing on replacing MD5 for BGP.
I don't see why this is an issue (today). As far as I understand it, the
vulnerability in MD5 is that, with time and cycles, it is possible to
create a collision where two files have the same MD5 hash, so the
counterfeit cert would check as valid. For the MD5 signature on a TCP
packet, this is not relevant.
Am I missing something? (I will admit to not being a cryptography person, so I
may totally misunderstand.)
I don't object to moving to a stronger hash, but, considering the
expense and time involved, I'd suggest waiting for the new hash
algorithm that the NIST challenge will hopefully provide.
In other words, stick to MD5 in places where it is not believed to be
vulnerable and where converting to SHA-1 or SHA-256 would be expensive.
Where it IS believed vulnerable, the cost/benefit ratio would have to
determine when the conversion is justified. For X.509 certs, I believe
the answer is clearly that it is justified and has been for at least 2
years.