Benjamin Kaduk <bka...@akamai.com> writes: >I'll make the obligatory note that SHA-2 is fine
Sure, and that was the really strange thing with TLS 1.2, why not just say SHA-2 or better only, rather than adding mechanisms that were much, much weaker than its predecessors? So the simple fix is just to use SHA-2 only for TLS 1.2. >if someone does change their system, are really going to recommend they go to >TLS 1.0 with MD5||SHA1 rather than TLS 1.2 with SHA2? That would be one argument for an RFC, MUST SHA-2 only or MUST NOT MD5 and SHA-1 in 1.2. Which is pretty much what TLS-LTS says. Or at least it takes the SHA-2-suites-mandatory path which implies no MD5 or SHA-1, I guess I should also add an explicit MUST NOT MD5 and SHA-1. Having said that, given an RFC saying MUST NOT 1.0 and 1.1 which is what the original discussion was about, why not also add MUST NOT MD5 and SHA1 in TLS 1.2 to the text? Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
