On Monday, 20 October 2025 15:45:13 CEST, Eric Rescorla wrote:
On Mon, Oct 20, 2025 at 6:40 AM Alicja Kario <[email protected]> wrote:
On Monday, 20 October 2025 14:28:44 CEST, Eric Rescorla wrote:
On Mon, Oct 20, 2025 at 5:17 AM Alicja Kario <hkario=
[email protected]> wrote:
...
Falling back to cleartext can be achieved with much simpler means, if the
client allows for that at all, so I don't think we should consider that.
My point is that in this scenario is that falling back to cleartext is worse
than using a traditional algorithm. Moreover, it's actually not obviously
the case that it is easier, given browser architecture, to fall back to
cleartext, even assuming it was superior.
I was thinking of protocols where that is normal part of operation, like
SMTP.
Now, going back to the migration. Yes, the attacks will be expensive at the
beginning, but I think what we should aim for is NOT to repeat the
situation
with SHA-1, where the web was dragging its feet for like 10 years before
SHA-1
was properly distrusted.
I agree that we should try not to repeat that. The question is what the best
way to do that is.
I think that providing easy way to allow people to drag their feet on this
won't improve the situation... Basically, I think we should aim for a
situation
where all major TLS clients and libraries simply don't advertise classical
crypto signatures as an option by default, in 10 years or so.
--
Regards,
Alicja Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
