On Fri, Dec 15, 2017 at 07:14:00PM +0000, Tim Hollebeek wrote: > So, this has been discussed extensively at the CA/Browser forum, for obvious > reasons. > > In my mind, it is not so important to identify and define and implement an > alternative hash.
Well, I would think that having ready to go backup would cut fair amount of time from transitions. It should be noted that the two transitions we have seen had backup algorithm already (SHA-1 in case of MD5 and SHA-2 in case of SHA-1). > What *is* important is that the protocol and associated software is able to > support a smooth transition period where people are moving from one > algorithm to another. Yes, that is what I was referring with "backward-compatible algorithm transition". > Ideally, you'd want certificates to be able to have two signatures during > the transition period, in order to support clients who have transitioned and > those who have not. Unfortunately RFC 5280 is deficient in that regard. > Hosting multiple certificates and switching based on the client is feasible, > but requires some technical wizardry and isn't possible in all situations. Yes, there are enormous amount of stacks that have problems with multiple certificate chains. Ranging from OCSP stapling not working properly (Nginx+openSSL) to dual-cert not working at all (too many to list). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
