On Wednesday, October 21, 2015 03:56:09 pm Viktor Dukhovni wrote: > Whether SHA-1 in the chain is used to make trust decisions is only > known to the client, and the server MUST NOT preempt that by denying > the client access to whatever chain it has on hand.
Can we please just fix this issue properly and add an "any(0xFF)" value to the enum so clients can explicitly tell the server that they're capable of trusting certs directly (or is doing OE) and the hash is potentially irrelevant? Note that the current proposed change does not break your use-case. Those clients can simply offer SHA-1 support indefinitely. Sure, they don't strictly support using SHA-1, but they support receiving certs using it, which is all the signal is really for. Dave _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
