That looks good to me. -- Wes Eddy MTI Systems >-----Original Message----- >From: Sean Turner [mailto:turners@xxxxxxxx] >Sent: Tuesday, December 21, 2010 12:14 PM >To: Eddy, Wesley M. (GRC-MS00)[ASRC AEROSPACE CORP] >Cc: Francis Dupont; wes@xxxxxxxxxxxxxxx; iesg@xxxxxxxx; >L.Wood@xxxxxxxxxxxx; ietf@xxxxxxxx; Sam Hartman >Subject: Re: Last Call: <draft-turner-md5-seccon-update-07.txt> (Updated >Security Considerations for the MD5 Message-Digest and the HMAC-MD5 >Algorithms) to Informational RFC > >Wes, > >I'm sympathetic to your concern, but I also think we need to specify >that this particular use needs to be "in-line" with the protocol (as >noted by Sam). How about the following changes in the introduction: > >OLD: > >[HASH-Attack] summarizes the use of hashes in many protocols and >discusses how attacks against a message digest algorithm's one-way >and collision-free properties affect and do not affect Internet >protocols. Familiarity with [HASH-Attack] is assumed. > >NEW: > >[HASH-Attack] summarizes the use of hashes in many protocols and >discusses how attacks against a message digest algorithm's one-way >and collision-free properties affect and do not affect Internet >protocols. Familiarity with [HASH-Attack] is assumed. One of the >uses of message digest algorithms in [HMAC-Attack] was integrity >protection. Where the MD5 checksum is used inline with the >protocol solely to protect against errors an MD5 checksum is still >an acceptable use. Applications and protocols need to clearly >state in their security considerations what security services, if >any, are expected from the MD5 checksum. In fact, any application >and protocol that employs MD5 needs to clearly state the expected >security services from their use of MD5. > >spt _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf