On Wednesday, March 30, 2016 11:22:15 am Eric Rescorla wrote: > 1. Add a "this is only usable for TLS 1.3 [or for subcerts]" extension to > PKIX.
Adding a PKIX extension to mandate a minimum threshold of security configuration (e.g. PFS+AEAD w/o resumption or SHA1 or any support for TLS <1.2) would also be great to have. In fact, if an intermediate could also set such a requirement and have that be required for all end-entity certs signed by it, that'd be a great way to protect against downgrades. Dave _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
