Re: [TLS] sect571r1

2015-07-15 Thread Rob Stradling
_everything_ is rarely used when it comes to ECDHE. Dave ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _

Re: [TLS] sect571r1

2015-07-15 Thread Rob Stradling
On 15/07/15 23:27, Rob Stradling wrote: AIUI, OpenSSL's default highest preference curve is sect571r1 (aka B-571). See [1] and [2]. The result of calling OpenSSL's recommended SSL_CTX_set_ecdh_auto(ctx, 1) function is that "the highest preference curve is automatically used for

Re: [TLS] Controlling use of SHA-1

2015-10-22 Thread Rob Stradling
ince I built this on top of ekr's client authentication changes (to avoid messy rebases): https://github.com/martinthomson/tls13-spec/commit/354475cf02819a9cc808457f2c09fdaeb1f82aa5 -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___

Re: [TLS] TLS 1.3 and OCSP stapling

2015-12-14 Thread Rob Stradling
7 (status_request_v2) from the TLS server? [1] https://tools.ietf.org/html/rfc7633 -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Abridged Certificate Compression

2023-07-13 Thread Rob Stradling
How about also including in the shared dictionary the SHA-256 hashes of the public keys of all the known CTv1 logs, so that the 32-byte LogID field of each SCT will be compressed? FWIW, RFC9162 (CTv2) tackles the same SCT bloat by changing the LogID type from a (32-byte) SHA-256 hash of the log

Re: [TLS] Abridged Certificate Compression

2023-07-14 Thread Rob Stradling
ion. Do not click links or open attachments unless you recognize the sender and know the content is safe. On 13/07/2023 10:13, Rob Stradling wrote: How about also including in the shared dictionary the SHA-256 hashes of the public keys of all the known CTv1 logs, so that the 32-byte LogID field o

Re: [TLS] How to Validate Servers' Identities w/out reliable source of time

2018-10-04 Thread Rob Stradling
ternal" source of time can be used. Do you know if there are indications / best practices from ITU or from IETF (or other organizations) on how to deal with this issue ? Has the issue been addressed somewhere ? Cheers, Max -- Best Regards, Massimiliano Pala, Ph.D. OpenCA Labs Direct

Re: [TLS] OCSP stapling problem

2018-12-19 Thread Rob Stradling
dy has some support for Must-Staple: https://github.com/openssl/openssl/pull/495 (Perhaps I've misunderstood what is "the issue" that "nobody has raised"?) -- Rob Stradling Senior Research & Development Scientist Sectigo Limited ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] OCSP stapling problem

2018-12-19 Thread Rob Stradling
tart until the administrator has manually enabled OCSP stapling? -- Rob Stradling Senior Research & Development Scientist Sectigo Limited ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] ct_compliant cached info field

2019-02-22 Thread Rob Stradling
raft aims to avoid > including information that might change over time, which would > render caches invalid.  Isn't that motivation to recommend an SCT > over an STH? > > Separately, why does this establish a new registry for signature > schemes?  It is obvio

Re: [TLS] ct_compliant cached info field

2019-02-25 Thread Rob Stradling
Thanks EKR. Done, in https://github.com/google/certificate-transparency-rfcs/pull/307 On 22/02/2019 14:51, Eric Rescorla wrote: > That works for me > > -Ekr > > > On Fri, Feb 22, 2019 at 6:41 AM Rob Stradling <mailto:r...@sectigo.com>> wrote: > > EKR, M

Re: [TLS] RSA-PSS in TLS 1.3

2016-03-02 Thread Rob Stradling
there. I’m not very optimistic, though. Please don't give up without even trying! If you have a proposal, I'd be happy to post it to the pub...@cabforum.org list on your behalf. Alternatively, you could post it to the questi...@cabforum.org list yourself. -- Rob Stradling

Re: [TLS] RSA-PSS in TLS 1.3

2016-03-02 Thread Rob Stradling
On 02/03/16 09:10, Rob Stradling wrote: Neither you nor I can post in any of the CA/Browser forum’s lists, because neither of us has either a browser or a public CA. There are some people who are active there and are reading this list, so they might take such a proposal there. I’m not very

Re: [TLS] TLS 1.3 -> TLS 2.0?

2016-08-30 Thread Rob Stradling
previous name seems to be trendy at the moment... https://en.wikipedia.org/wiki/Mac_OS -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

2016-12-02 Thread Rob Stradling
On 02/12/16 14:53, Thomas Pornin wrote: Commercial CA tend to sell "SSL certificates", not "TLS certificates" or "SSL/TLS certificates". It's worse than that. Many customers, and even some salespeople, seem to think that we sell "SSLs". -

Re: [TLS] Certificate compression draft

2017-03-09 Thread Rob Stradling
sh them under the limit and save a round-trip. Cheers, Victor. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls