On Friday, 3 May 2019 19:30:38 CEST Peter Gutmann wrote: > Benjamin Kaduk <[email protected]> writes: > >I'll make the obligatory note that SHA-2 is fine > > Sure, and that was the really strange thing with TLS 1.2, why not just say > SHA-2 or better only, rather than adding mechanisms that were much, much > weaker than its predecessors? So the simple fix is just to use SHA-2 only > for TLS 1.2.
I don't know as I wasn't there when that was discussed, but one reason could
be the same as the problems we are facing now with RSA-PSS in TLS 1.3:
smartcards and HSMs that are limited to old algorithms.
Also, don't forget that signature_algorithms, at least in theory[1], was
supposed to also influence server certificate selection, and SHA-1 was used in
vast majority of certificates in PKI.
> >if someone does change their system, are really going to recommend they go
> >to TLS 1.0 with MD5||SHA1 rather than TLS 1.2 with SHA2?
>
> That would be one argument for an RFC, MUST SHA-2 only or MUST NOT MD5 and
> SHA-1 in 1.2. Which is pretty much what TLS-LTS says. Or at least it takes
> the SHA-2-suites-mandatory path which implies no MD5 or SHA-1, I guess I
> should also add an explicit MUST NOT MD5 and SHA-1.
>
> Having said that, given an RFC saying MUST NOT 1.0 and 1.1 which is what the
> original discussion was about, why not also add MUST NOT MD5 and SHA1 in
> TLS 1.2 to the text?
I've already suggested it with the draft authors, the conclusion was that it
probably should be a separate RFC.
1 - while in practice one popular implementation actually used it as a
"required" list – it would abort connections when the sigalg of the
certificate it had wasn't included in the ClientHello
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
