Re: Logical inconsistencies in draft-ietf-dnsext-tsig-md5-deprecated-00.txt

["Frank Ellermann" <nobody@xxxxxxxxxxxxxxxxx>]

JFTR, Paul Hoffman <paul.hoffman@xxxxxxxx> wrote on the DNSEXT list:

> At 2:46 PM +0200 7/10/08, Florian Weimer wrote:

>> ... I was mistaken about the strength of the MD5 attacks published so
>> far.  D'oh!
 
> It is not the strength: it is the type of protection. If you need 
> collision-resistance, you can probably safely assume that MD5 is too 
> weak for anything, and getting weaker all the time. If you need 
> preimage strength, MD5 is still untouched at 128 bits, and there 
> haven't even been strong hints of any preimage weakness even though, 
> post-Wang, there has been a huge amount of effort by people who want 
> to be the first to show an attack.
 
>> Given that, I agree that it deprecating HMAC-MD5 is premature, but the
>> three octets "MD5" are unfortunately tainted forever.
 
> Not if we don't spread the FUD. It's really not that hard. Hashes 
> have three properties (there are actually two types of preimages), 
> and only one has been found weak in MD5 and SHA1. Things that don't 
> use that property are not affected by the weakness of the property.