Re: Crypto agility in SCRAM + draft-josefsson-password-auth?

["Frank Ellermann" <nobody@xxxxxxxxxxxxxxxxx>]

Jeffrey Hutzelman wrote:

> The IETF security area has a mandate to avoid
> use of MD5 in new protocols, in favor of SHA-1
> or SHA-256 plus hash agility.

That must be a BCP I have not read yet, which is
it ?  I recall that I looked into RFC 2898 some
time ago, but as there was no test case for its
MD5 PBKDF1 forgot it again.

I asked here at least once why Hi(x) = H(Hi-1(x))
should be "better" than Hi(x) = H( i || x ) or
similar.  I've no idea why Nichoas thinks that I
like Hi(), or why he thinks that I claim that it
is faster than PBKDF2 when all I did was ask what
PBKDF2 is.   

Without examples RFC 2898 is not interesting for 
me, it also doesn't explain in which sense if any
HMAC-SHA1 is "better" than HMAC-MD5 when used as
PRF for PBKDF2.

> In the meantime, the rest of us are getting on
> with life.

If that means that CRAM-MD5 is good enough, fine.

 Frank