> On May 22, 2017, at 5:22 PM, Eric Rescorla <e...@rtfm.com> wrote:
>
> I don't think "opportunistic" is a clearly enough defined category to be
> useful
> here.
If you mean:
> I don't think "strongly authenticate" is useful here. I think the
> requirement is that the RP must not accept these algorithms in any
> context which would require validating signatures made using them.
That's fine.
> Rather, I think the relevant criterion is the one I listed above. If people
> agree, I'd be happy to make that change (and can produce text) because I
> think it conforms to the WG consensus.
The above formulation (where the relying party does not accept certain
signature algorithms as valid in the context of validating issuer
signatures) works for me. All I'm looking for is not requiring the
RP to abort the handshake as soon as the algorithm is encountered,
even when the signature would never be checked!
So if putting the consensus to ban MD5/SHA-1 in its *proper context*
is consistent with the WG consensus, let's do that.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
