> On May 22, 2017, at 11:35 AM, Viktor Dukhovni <ietf-d...@dukhovni.org> wrote:
>
> Still, all of this belongs in an update of RFC5280, but if we just can't
> resist saying something here along the lines you suggest then it might be:
>
> "When peer authentication is via a certificate, with RFC5280 (PKIX) chain
> verification, certificate signature algorithms weaker than <list of weakest
> acceptable signature algs here> MUST NOT be trusted."
I want to reiterate, that the simplest approach, and the one that I
would prefer, is not to repurpose the TLS 1.3 specification to carry
language that properly belongs in PKIX. The "MUST NOT" language
related to MD5 and SHA-1 in *certificate signatures* should be removed.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
