On Mon, May 6, 2019 at 1:45 PM Blumenthal, Uri - 0553 - MITLL < [email protected]> wrote:
> On 5/6/19, 7:22 AM, "TLS on behalf of Hubert Kario" <[email protected] > on behalf of [email protected]> wrote: > > Sure, and that was the really strange thing with TLS 1.2, why not > just say > > SHA-2 or better only, rather than adding mechanisms that were much, > much > > weaker than its predecessors? So the simple fix is just to use > SHA-2 only > > for TLS 1.2. > > I don't know as I wasn't there when that was discussed, but one reason > could > be the same as the problems we are facing now with RSA-PSS in TLS 1.3: > smartcards and HSMs that are limited to old algorithms. > > HSMs are more likely than not to support SHA-2. Smartcards rarely perform > hash themselves, relying on the software that uses them. > > > Also, don't forget that signature_algorithms, at least in theory[1], > was > supposed to also influence server certificate selection, and SHA-1 was > used in > vast majority of certificates in PKI. > > Alas. Only in some (albeit large) enclaves. > Is this better suited for another (short) draft? Best, Kathleen > > > _______________________________________________ > TLS mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/tls > -- Best regards, Kathleen
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
