On 5/6/19, 7:22 AM, "TLS on behalf of Hubert Kario" <[email protected] on
behalf of [email protected]> wrote:
> Sure, and that was the really strange thing with TLS 1.2, why not just say
> SHA-2 or better only, rather than adding mechanisms that were much, much
> weaker than its predecessors? So the simple fix is just to use SHA-2 only
> for TLS 1.2.
I don't know as I wasn't there when that was discussed, but one reason
could
be the same as the problems we are facing now with RSA-PSS in TLS 1.3:
smartcards and HSMs that are limited to old algorithms.
HSMs are more likely than not to support SHA-2. Smartcards rarely perform hash
themselves, relying on the software that uses them.
Also, don't forget that signature_algorithms, at least in theory[1], was
supposed to also influence server certificate selection, and SHA-1 was used
in
vast majority of certificates in PKI.
Alas. Only in some (albeit large) enclaves.
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
