On Wed, Mar 30, 2016 at 2:47 PM, Ilari Liusvaara <ilariliusva...@welho.com> wrote:
> On Wed, Mar 30, 2016 at 01:33:57PM -0700, Eric Rescorla wrote: > > On Wed, Mar 30, 2016 at 1:23 PM, Dave Garrett <davemgarr...@gmail.com> > > wrote: > > > > > On Wednesday, March 30, 2016 11:22:15 am Eric Rescorla wrote: > > > > 1. Add a "this is only usable for TLS 1.3 [or for subcerts]" > extension to > > > > PKIX. > > > > > > Adding a PKIX extension to mandate a minimum threshold of security > > > configuration (e.g. PFS+AEAD w/o resumption or SHA1 or any support for > TLS > > > <1.2) would also be great to have > > > > > > This seems like a fairly blunt instrument. Better to make sure that TLS's > > negotiaton > > mechanisms are reliable and trustworthy. > > Unfortunately, there's the broken key exchanges, which fundamentally > compromise any version negotiation. > > > Yes, one could set RSA KeyUsage to just DigitalSignature, which would > nominally disable those broken key exchanges. Why is this necessary in this case? If you're a server which won't do static RSA, why isn't it enough to just refuse to negotiate those cipher suites? -Ekr Unfortunately: > > - Many clients don't enforce that. > - That kind of certificates are listed as SHOULD NOT issue. > > > -Ilari >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
