On Mon, Mar 24, 2014 at 06:25:57AM +1100, Mark Andrews wrote:
> > Site A only publishes SHA1 entries. Would rather do unauthenticated TLS
> > than trust SHA1?
>
> You left out - report and refuse to send until fixed.
Broken is not a binary state. Before previously reasonably sound
algorithms are fully broken, they are first tarnished, and our
confidence in their strength begins to fray.
Refuse to send is a strong reaction, when an algorithm is only
tarnished, with no known practical attacks, but known signs of
weakness. Have you disabled RC4 in your browser yet? If not, your
rather principled stand is "do as I say, not do I as do".
> > Site B publishes both SHA2-512 and SHA1 entries. Would you still want
> > to trust SHA1?
>
> Once you decide SHA1 is not acceptable you ignore the records with SHA1
> hashes.
A flag day, one can sensibly avoid, by incrementally phasing out
(hypothetically) SHA1 as server publish stronger records that include
(hypothetically) SHA1 to accommodate weaker clients in addition to stronger
digests.
> Publishing new hashes is trivial and will remain trivial.
Flag days remain a major deployment problem.
> Once a algorithm has reached the state where you don't trust it for a
> purpose you don't use it for that purpose.
That's fine, except at Internet scale. Windows 2003 servers still
top out at RC4-SHA1, and at least Exchange 2003 has a broken 3DES
implementation. Many server operators only enable RC4 for
performance reasons.
When exactly should you or I disable RC4-SHA1 support? Fortunately
in TLS cipher suites are negotiated. I am trying to do the same
for DANE.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
