On Wed, Mar 30, 2016 at 01:33:57PM -0700, Eric Rescorla wrote: > On Wed, Mar 30, 2016 at 1:23 PM, Dave Garrett <davemgarr...@gmail.com> > wrote: > > > On Wednesday, March 30, 2016 11:22:15 am Eric Rescorla wrote: > > > 1. Add a "this is only usable for TLS 1.3 [or for subcerts]" extension to > > > PKIX. > > > > Adding a PKIX extension to mandate a minimum threshold of security > > configuration (e.g. PFS+AEAD w/o resumption or SHA1 or any support for TLS > > <1.2) would also be great to have > > > This seems like a fairly blunt instrument. Better to make sure that TLS's > negotiaton > mechanisms are reliable and trustworthy.
Unfortunately, there's the broken key exchanges, which fundamentally compromise any version negotiation. Yes, one could set RSA KeyUsage to just DigitalSignature, which would nominally disable those broken key exchanges. Unfortunately: - Many clients don't enforce that. - That kind of certificates are listed as SHOULD NOT issue. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
