> That said, I think recent practice has been to not take a strict hard line > that MD5 cannot be used ever, and that non-cryptographic uses for legacy > compatibility can be retained, when accompanied by a disclaimer that the use > of MD5 is not for cryptographic purposes and that MD5 is not a secure > cryptographic hash function. I'm missing the big picture. What is Yang supposed to do? I'd expect it would be describing existing practices. I don't expect it to be trying to add MUSTs to other RFCs. I'd be happy with notes that a use case has been deprecated, especially if there is an RFC to point to. But unless I'm missing something, Yang is not the place to be trying to enforce good crypto practices. Most people working on NTP won't pay any attention to Yang if they even know it exists. NTP uses MD5 in two places. One is hashing IPv6 addresses to make something that fits into a slot that only has room for IPv4 addresses. I don't think there are any crypto/security considerations. The other is for authenticating packets. RFC 8573 deprecates that usage. A note in a Yang document saying "using MD5 for authenticating NTP has been deprecated by RFC 8573" seems like a good idea. I think anything stronger will be inappropriate. But maybe I don't understand what Yang is all about. -- These are my opinions. I hate spam. -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
