Hi, After the SLOTH paper, we should think about starting to deprecate TLS 1.0 and TLS 1.1 and the SHA1 based signature algorithms in TLS 1.2.
As I understand it, they estimate that both TLS 1.2 with SHA1 and TLS 1.0 and 1.1 with MD5|SHA1 currently require about 2^77 to be broken. They all depend on the chosen prefix collision on SHA1, with the MD5 part in TLS 1.0 and 1.1 not adding much. It seems that disabling SHA1 in TLS 1.2 doesn't buy you anything unless you also disable TLS 1.0 and 1.1. Kurt _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
