Last Call Review of draft-turner-md2-to-historic-
review-turner-md2-to-historic-secdir-lc-meadows-2010-10-24-00

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document recommends that the MD2 hash algorithm be moved to historic
status and gives the rationale for doing this.  The reasons are mainly
security-related, given that the algorithm has been shown not to be
collision-free and is vulnerable to pre-image attacks.  Performance is also an
issue.  The impact is minimal, given that support for MD2 in the standards that
refer to it is either optional or discouraged.

I have no problems with the decision or rationale.  I agree, as I am sure that
everyone else does, the MD2 should be retired.

I do have one minor recommendation though about the rationale: in section 2
(the Rationale section), you say that MD2 has been shown to not be
collision-free and is vulnerable to pre-image attacks.  The Rationale appears
to give both these concerns equal value. But in Section 6 (Security
Considerations), you say that the most successful collision attacks against MD2
are not significantly better than the birthday attack, and the real security
problems with MD2 have to do with its vulnerability to pre-image attacks.  It
seems to me that this reasoning should be reflected in the Rationale.

Catherine Meadows
Naval Research Laboratory
Code 5543
4555 Overlook Ave., S.W.
Washington DC, 20375
phone: 202-767-3490
fax: 202-404-7942
email: catherine.meadows at nrl.navy.mil