On Friday, 3 September 2021 18:00:12 CEST, internet-dra...@ietf.org wrote:
A New Internet-Draft is available from the on-line
Internet-Drafts directories.
This draft is a work item of the Transport Layer Security WG of the IETF.
Title : Deprecating MD5 and SHA-1 signature
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Transport Layer Security WG of the IETF.
Title : Deprecating MD5 and SHA-1 signature hashes in (D)TLS
1.2
Authors : Loganaden Velvindron
Daniel,
This I-D is an update to RFC 5246 (see header). Only the 7525 updates were
moved to 7525bis. While checking this out I did note a couple of there places
in the I-D that 7525 needs to be scrubbed. I asked for changes in the following
PR to account for those:
Hi David,
> we assume the KDF is collision-resistant.
Agreed that the current key schedule relies on this. Appendix E.1.1 also
states
we assume the underlying hash function to be collision resistant.
> the proposed construction is dramatically more involved than what's in
the draft
Agreed.
Looks good to me however this still represents in my opinion an update to
5246 -- which I think is also what we want.
Yours,
Daniel
On Thu, Sep 2, 2021 at 10:37 PM Sean Turner wrote:
> Just a reminder that sometime tomorrow I will ask for these PRs to be
> merged and a new version of the I-D
Hi Dan,
The assumptions for the ETSI proofs don't match the scenario we're
considering, but are rather stronger.
We assume the adversary gets to control some part of the secret
concatenation (e.g. when KEMs are used), and that honest parties may re-use
secrets (e.g. when static ECDH is used).
The
