On Sat, Oct 10, 2015 at 7:37 PM, Dave Garrett <davemgarr...@gmail.com> wrote:
> In light of completely unsurprising recent events [0], I think it's time > to reconsider the current consensus on how to deal with SHA-1 in TLS 1.3. > Currently, it's allowed if needed by servers that have nothing better [1]. To be clear, the only thing that's allowed is SHA-1 in *certificates*. It's forbidden in CertificateVerify. -Ekr > I propose we stop playing around and just prohibit it under TLS 1.3+. > Implementations that can negotiate nothing better would be permitted to > fall back to TLS 1.2 with the security restrictions currently in the draft > [2] (which is still a concession I'd rather not make, but it's currently > needed). I have submitted a PR [3] to this effect in order to have specific > text to discuss here, though WG consensus and chair approval is of course > required to change the current status. > > Please note that TLS 1.3 is not coming out tomorrow, nor will its > deployment be instant. By the time servers even decide to consider an > upgrade, SHA-1 will be in an even less secure state than it already is. > > To answer the obvious question: Prohibiting it in new versions reduces the > risk of mistakes, draws a clear line where support is killed, and puts an > actual impetus on PKI to transition faster. TLS 1.2 is potentially > vulnerable, depending on configuration (nothing new there), but TLS 1.3 > should be known to be secure in all valid configurations. The discussion to > have with non-experts should not be about specific algorithms to pick and > choose (RC4, MD5, SHA1, EXPORT ciphers, non-AEAD, non-PFS, weak DH groups, > etc. etc.); we should be able to point at the current version and say "use > this, not the old thing", or we can't expect it to be understood and taken > seriously. > > [0] https://sites.google.com/site/itstheshappening/ > [1] https://tools.ietf.org/html/draft-ietf-tls-tls13-09#page-60 > [2] https://tools.ietf.org/html/draft-ietf-tls-tls13-09#appendix-C.3 > [3] https://github.com/tlswg/tls13-spec/pull/287 > > > Dave > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
