On Wed, Mar 30, 2016 at 1:23 PM, Dave Garrett <[email protected]> wrote:
> On Wednesday, March 30, 2016 11:22:15 am Eric Rescorla wrote: > > 1. Add a "this is only usable for TLS 1.3 [or for subcerts]" extension to > > PKIX. > > Adding a PKIX extension to mandate a minimum threshold of security > configuration (e.g. PFS+AEAD w/o resumption or SHA1 or any support for TLS > <1.2) would also be great to have This seems like a fairly blunt instrument. Better to make sure that TLS's negotiaton mechanisms are reliable and trustworthy. -Ekr > . In fact, if an intermediate could also set such a requirement and have > that be required for all end-entity certs signed by it, that'd be a great > way to protect against downgrades. > > > Dave >
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
