On Fri, Dec 15, 2017 at 10:12 AM, Watson Ladd <watsonbl...@gmail.com> wrote:
> We can force a rotate of all certs in 90 days, and I don't think most > people will notice. > Unfortunately, there are plenty of longterm certificates with lifetimes >> 90 days. -Ekr > > On Fri, Dec 15, 2017 at 10:07 AM, Eric Rescorla <e...@rtfm.com> wrote: > > I'm not quite following how this helps. It's true that if SHA-256 is > broken, > > we're in serious trouble, but that's largely because of the fact that > that's > > what people's certificates have, so clients really can't refuse to > support > > SHA-256 certificates. So, how does adding new algorithms help? (That's > why I > > would argue that the existing SHA-384 support doesn't help). > > > > -Ekr > > > > > > On Fri, Dec 15, 2017 at 9:46 AM, Ilari Liusvaara < > ilariliusva...@welho.com> > > wrote: > >> > >> On Fri, Dec 15, 2017 at 02:57:33PM +0000, Andrei Popov wrote: > >> > From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Ilari Liusvaara > >> > > Even nastier dependency: SHA-2. If that breaks, currently both TLS > >> > > 1.2 and 1.3 break. There are no alternatives defined. > >> > > >> > Here's an attempt to define a SHA-2 alternative: > >> > https://tools.ietf.org/html/draft-wconner-blake2sigs-01 > >> > >> Also would need TLS ciphersuite codepoints with alternative handshake > >> hash algorithms. > >> > >> > >> -Ilari > >> > >> _______________________________________________ > >> TLS mailing list > >> TLS@ietf.org > >> https://www.ietf.org/mailman/listinfo/tls > > > > > > > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org > > https://www.ietf.org/mailman/listinfo/tls > > > > > > -- > "Man is born free, but everywhere he is in chains". > --Rousseau. >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
