On Wed, Mar 30, 2016 at 2:47 PM, Ilari Liusvaara
wrote:
> On Wed, Mar 30, 2016 at 01:33:57PM -0700, Eric Rescorla wrote:
> > On Wed, Mar 30, 2016 at 1:23 PM, Dave Garrett
> > wrote:
> >
> > > On Wednesday, March 30, 2016 11:22:15 am Eric
On Wed, Mar 30, 2016 at 01:33:57PM -0700, Eric Rescorla wrote:
> On Wed, Mar 30, 2016 at 1:23 PM, Dave Garrett
> wrote:
>
> > On Wednesday, March 30, 2016 11:22:15 am Eric Rescorla wrote:
> > > 1. Add a "this is only usable for TLS 1.3 [or for subcerts]" extension to
> >
On Wed, Mar 30, 2016 at 1:23 PM, Dave Garrett
wrote:
> On Wednesday, March 30, 2016 11:22:15 am Eric Rescorla wrote:
> > 1. Add a "this is only usable for TLS 1.3 [or for subcerts]" extension to
> > PKIX.
>
> Adding a PKIX extension to mandate a minimum threshold of
On Mar 30, 2016 9:03 AM, "Daniel Kahn Gillmor"
wrote:
>
> On Wed 2016-03-30 11:22:15 -0400, Eric Rescorla wrote:
> > This got a lot of discussion early in the design process and the
consensus
> > was that the risk of having the default mode (with existing certs)
allow the
On Wednesday, March 30, 2016 11:22:15 am Eric Rescorla wrote:
> 1. Add a "this is only usable for TLS 1.3 [or for subcerts]" extension to
> PKIX.
Adding a PKIX extension to mandate a minimum threshold of security
configuration (e.g. PFS+AEAD w/o resumption or SHA1 or any support for TLS
<1.2)
On Wed, Mar 30, 2016 at 8:22 AM, Eric Rescorla wrote:
> This got a lot of discussion early in the design process and the consensus
> was that the risk of having the default mode (with existing certs) allow
> the
> creation of a long-term delegation was too high. See, for instance,
This got a lot of discussion early in the design process and the consensus
was that the risk of having the default mode (with existing certs) allow the
creation of a long-term delegation was too high. See, for instance, the
relative impact of the recent paper by Jager at al. [0] on TLS 1.3 and