On Wednesday, 1 May 2019 01:49:52 CEST Martin Rex wrote: > Martin Thomson <m...@lowentropy.net> wrote: > > On Sat, Apr 27, 2019, at 07:29, Viktor Dukhovni wrote: > >> The sound-bite version is: first raise the ceiling, *then* the floor. > > > > Yep. We've done the ceiling bit twice now. > > Once in 2008 when we published TLS 1.2 and then in 2018 > > with the publication of TLS 1.3. I'd say we're overdue for the floor bit. > > Just that this rationale is a blatant lie. > > It is formally provable that from the three protocol versions: > > TLSv1.0, TLSv1.1, TLSv1.2 > > the weakest one is TLSv1.2, because of the royally stupid downgrade > in the strength of digitally signed. > > > Disabling TLSv1.0 will only result in lots of interop failures > and pain, but no improvement in security.
We've been over this Martin, the theoretical research shows that for Merkle- Damgård functions, combining them doesn't increase their security significantly. And the practical research: https://eprint.iacr.org/2016/131.pdf https://www.iacr.org/archive/asiacrypt2009/59120136/59120136.pdf only confirms that. So, please, use a bit less inflammatory language when you have no factual arguments behind your assertions. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
