Speaking of PRF hash, I want to bring up the fact that SHA-3 is a better PRF by design, as that was one of the explicitly stated competition requirements (unlike MD*, SHA-1, and SHA-2).
Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network. Original Message From: Ilari Liusvaara Sent: Friday, September 2, 2016 06:44 To: Hubert Kario Cc: tls@ietf.org Subject: Re: [TLS] SHA-3 in SignatureScheme On Fri, Sep 02, 2016 at 12:08:47PM +0200, Hubert Kario wrote: > On Thursday, 1 September 2016 19:22:18 CEST Dave Garrett wrote: > > > > The reason I see is that we currently specify exactly one valid hash > > algorithm (in a variety of sizes). The precedent argument is good enough > > for me. I think adding it in this document is definitely worth considering. > > I don't want to wait until SHA-2 is considered weak to provide an > > alternative, if we can avoid it. > > I've created a PR for it: https://github.com/tlswg/tls13-spec/pull/616 > > I haven't changed any recommendations, the recommended hashes to implement > are > still SHA-2 based, and I don't think we should change that given that > certificates just now are transitioning to SHA-256 because of incompatibility > fears. Just tweaking the signatures is not enough. There is also the PRF hash, and using weak hash there has, umm... rather bad consequences. I also don't see why this should be in TLS 1.3 spec, instead of being its own spec (I looked up how much process BS it would be to get the needed registrations: informative RFC would do). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
