On Saturday, October 10, 2015 04:28:28 pm Ilari Liusvaara wrote: > On Sat, Oct 10, 2015 at 07:44:04PM +0200, Eric Rescorla wrote: > > To be clear, the only thing that's allowed is SHA-1 in *certificates*. > > It's forbidden in CertificateVerify. > > Isn't using it in certificates precisely more dangeous than using it in > CertificateVerify (especially with TLS 1.3)? > > (Not that using it in CertificateVerify is a good idea).
You can take all the time you need to forge something in a certificate chain (before expiry time), but to forge CertificateVerify you'd need to do it on the fly. Really dangerous vs. somewhat dangerous doesn't matter much here, though. Dave _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
