On Mon, 24 Mar 2014, Mark Andrews wrote:
> If you don't trust a algorithm you should not be using it. Period.
> This fall back to this untrusted/broken algorithm is bad engingeering
> and bad security practice.
>
> If the site you want to email only has broken TLSA records, get
> them on the phone to fix the problem.
Assume we may have reason to believe that SHA1 is within reach of well
funded adversaries, and assume it had a code-point in DANE.
Site A only publishes SHA1 entries. Would rather do unauthenticated TLS
than trust SHA1?
Site B publishes both SHA2-512 and SHA1 entries. Would you still want
to trust SHA1?
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
