Hi, Kathleen. See inline. > On 14 Mar 2017, at 22:40, Kathleen Moriarty > <kathleen.moriarty.i...@gmail.com> wrote: > > Kathleen Moriarty has entered the following ballot position for > draft-ietf-tls-rfc4492bis-15: Yes > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-tls-rfc4492bis/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thanks for your work on this draft. I just have one question: > > In section 5.10, I see the following text: > The default hash function is SHA-1 [FIPS.180-2], and sha_size (see > Section 5.4 and Section 5.8) is 20. However, an alternative hash > function, such as one of the new SHA hash functions specified in > FIPS > 180-2 [FIPS.180-2], SHOULD be used instead.
If we add the three lines before the ones you quoted, they say this: All ECDSA computations MUST be performed according to ANSI X9.62 or its successors. Data to be signed/verified is hashed, and the result run directly through the ECDSA algorithm with no additional hashing. The default of using SHA-1 is from X9.62: https://www.security-audit.com/files/x9-62-09-20-98.pdf <https://www.security-audit.com/files/x9-62-09-20-98.pdf> That is the document that was referenced by RFC 4492 and it’s from 1998. It doesn’t mention any hash function other than SHA-1. RFC 4492 said that other hash functions may be used. We’ve upgraded it to a SHOULD. > > Why are you setting the default to SHA-1 and then recommending that > something else should be used? Why not just start with a different SHA > hash function as the default or at least for TLS 1.2? I do see the prior > text about TLS 1.0 and 1.1 using MD5 and SHA-1, but most have recommended > to go right to TLS 1.2 with the SSLv3 deprecation. As such, I'm not > clear on why the SHA-1 default. > >
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls