Last Call Review of draft-turner-md2-to-historic-
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.
This document recommends that the MD2 hash algorithm be moved to historic status and gives
the rationale for doing this. The reasons are mainly security-related, given that the algorithm
has been shown not to be collision-free and is vulnerable to pre-image attacks. Performance is also an
issue. The impact is minimal, given that support for MD2 in the standards that refer to it is either optional or
I have no problems with the decision or rationale. I agree, as I am sure that everyone else does, the MD2
should be retired.
I do have one minor recommendation though about the rationale: in section 2 (the Rationale section),
you say that MD2 has been shown to not be collision-free and is vulnerable to pre-image attacks. The Rationale
appears to give both these concerns equal value. But in Section 6 (Security Considerations), you say
that the most successful collision attacks against MD2 are not significantly better than the birthday attack,
and the real security problems with MD2 have to do with its vulnerability to pre-image attacks. It seems to me that
this reasoning should be reflected in the Rationale.
Naval Research Laboratory
4555 Overlook Ave., S.W.
Washington DC, 20375
email: catherine.meadows at nrl.navy.mil