Re: Proposal: Remove MD5 / SHA1 support from veriexec

[Taylor R Campbell <campbell+netbsd-tech-security%mumble.net@localhost>]

> Date: Mon, 28 Aug 2017 08:00:05 +0200
> From: Martin Husemann <martin%duskware.de@localhost>
> 
> I still think a new kernel should just support all hashes that we previously
> allowed to be generated, maybe with some prominent warning that the admin
> should (at their conveniance) upgrade the hashes to a more modern algorithm.
> 
> I hate how openssh regularily removes support for things still in use (and
> still in use for *localy* valid reasons). We should do better.
> 
> I don't think booting a new kernel to single user, replacing the hashes,
> then finding later the kernel does not cut it, rebooting old kernel to
> single user and (maybe) needing to regen hashes again is a sane thing.
> 
> But I don't know if we grew any hashes that ancient kernels did not support
> recently, so this may be mood - or a simple documentation issue.

My understanding was that the proposal is:

1. Remove MD5 &c. from veriexecgen(8) *now*, so that when you next
upgrade NetBSD and necessarily regenerate the hashes anyway, you will
have to use SHA-2 or something.  But booting a newer kernel will still
handle the MD5 &c. hashes.

2. Remove MD5 &c. from veriexec(4) in the *next* version of NetBSD, at
which point nobody will have any veriexec hashes with MD5 &c.

Did I misunderstand something?