On Fri, May 3, 2019 at 10:46 PM Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote:
> Kathleen Moriarty <kathleen.moriarty.i...@gmail.com> writes: > > >MD5 is not discussed in the current version of RFC7525. > > I would add it, if this is guidance for general use then it should cover > all > the bases, if SHA-1 is a MUST NOT then MD5 is a REALLY REALLY REALLY MUST > NOT. > > (Technically SHA-1 is still safe for ephemeral signing, i.e. locations > where > an attacker can't spend arbitrary amounts of time working on precomputed > data, > which is most of TLS because of the nonces in the handshake and the fact > that > connections will quickly time out if nothing arrives, but since TLS 1.2 has > SHA-2 built in already there's probably little point in separating out > where > SHA-1 is safe vs. where it isn't). > Sure, I agree, but needed to look through prior documents first. Since it wasn't in RFC7525 as a recommendation and the minimum baseline was above MD5, I suspect that is why it is not mentioned. If there is support (and no disagreements) the text above could be added and include SHA-1 and MD5 MUST NOT be used. The minimum baseline is already set above it though in the statement. WG decision is appreciated on this point and proposed text for RFC 7525. Proposed: When using RSA, servers SHOULD authenticate using certificates with at least a 2048-bit modulus for the public key. In addition, the use of the SHA-256 hash algorithm is the minimum requirement, SHA-1 and MD5 MUST not be used (see [CAB-Baseline <https://tools.ietf.org/html/rfc7525#ref-CAB-Baseline>] for more details). Clients SHOULD indicate to servers that they request SHA-256, by using the "Signature Algorithms" extension defined in TLS 1.2. Best regards, Kathleen > > Peter. > -- Best regards, Kathleen
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
