On Sat, Oct 10, 2015 at 07:44:04PM +0200, Eric Rescorla wrote: > On Sat, Oct 10, 2015 at 7:37 PM, Dave Garrett <davemgarr...@gmail.com> > wrote: > > > In light of completely unsurprising recent events [0], I think it's time > > to reconsider the current consensus on how to deal with SHA-1 in TLS 1.3. > > Currently, it's allowed if needed by servers that have nothing better [1]. > > To be clear, the only thing that's allowed is SHA-1 in *certificates*. > It's forbidden in CertificateVerify.
Isn't using it in certificates precisely more dangeous than using it in CertificateVerify (especially with TLS 1.3)? (Not that using it in CertificateVerify is a good idea). Also, AFAIK, TLS 1.3 won't be published this year, so by the time it is published, one can't get SHA-1 certs from public CAs anyway (or if you can, those don't work reliably anyway). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
