On 2018-07-10 at 00:17 -0400, Viktor Dukhovni wrote: > More generally, as noted in RFC7435, you get more security by raising > the ceiling than by raising the floor.
+1, including to the points about SMTP fallback to cleartext, etc. > For example, I recently learned that current GnuTLS > versions by default no longer validate certificates with SHA-1 > issuer signatures, and that current versions of Exim linked with > these GnuTLS releases fail to validate some DANE-TA(2) chains issued > by private-CAs that still use SHA-1. And yet: That's fine by me. Linking against GnuTLS has long had implications for mail delivery. It blocked SSLv3 at a time when SSLv3 was still fairly widespread in corporate circles (Exchange). Folks who care about TLS interop for real mail-systems use OpenSSL. For myself, I think that since SHA-1 has practical collision attacks today, the next break will be second preimage attacks, at which point the use in certificates is dead. Whether that comes tomorrow or three years from now, I don't know. It's appropriate to not re-enable SHA-1 at a point where the entire non-SMTP ecosystem has moved away from it and nobody should be asking _other people outside their own administrative domain_ to trust SHA-1 in certs. If folks want to use it internally, that's fine. If you want to use DANE-TA to expose your internal CA to the outside world, that's fine too, but you need to meet the common minimum bar for protecting chain integrity. > Thus there is no practical exposure to SHA-1 via the public CA > ecosystem, and as the issue is comprehensively addressed on the > issuer side. Today, no. But when SHA-1 is already so broken that 2nd preimage is the only remaining step to fall before it becomes unsuitable for certs, it's certainly not good to encourage its continuing usage. > Non-public CAs, on the other hand, are typically already compromised > by the time they can be convinced to issue certificates to untrusted > strangers, even if the hash algorithm is impeccably strong. And this step then falls because if considering the next break rather than "publicly known today" then the "issuing to untrusted strangers" stops being a prerequisite for attack. > For the record, SHA-1 use is not common. Not common enough for me to do more than update the Exim Specification to include a warning, which I'll do shortly. On 2018-07-10 at 00:43 -0400, Viktor Dukhovni wrote: > All the below have DANE-TA(2) TLSA RRs, with SHA-1 leaf sigs. > > semidefinite.de > iki.fi [ *.iki.fi ] So looks like two organizations total. I'm not encouraging a time-bomb break in TLS security for two orgs. Thanks for bringing this to my attention. I'll update docs shortly. -Phil _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
