> On May 20, 2017, at 1:41 AM, Nico Williams <n...@cryptonector.com> wrote:
>
> "When using TLS to authenticate the server, certificate signature
> algorithms weaker than <list of weakest acceptable signature algs here>
> MUST NOT be used."
Minor correction, perhaps you really mean to say "when using RFC5280 (PKIX)
to authenticate... (the [server or client?]). TLS is just the transport
after all.
This formulation does correctly place the security floor in the proper
context, namely PKIX authentication, and does not inappropriately
mandate aborting connections and the like.
A peer presenting certificates with deprecated algorithms would then
not pass PKIX authentication. It is then up to the other party to
decide whether this matters and how to react.
This would amount in essence to a TLS-specific "profile" for PKIX.
If such a thing is really needed, so be it. So long as we have no
text mandating connection termination based on potentially irrelevant
certificate details I can go along with a compromise in which a more
narrow prohibition of MD5 and SHA-1 remains along the lines above.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
