Kathleen Moriarty <kathleen.moriarty.i...@gmail.com> writes: >MD5 is not discussed in the current version of RFC7525.
I would add it, if this is guidance for general use then it should cover all the bases, if SHA-1 is a MUST NOT then MD5 is a REALLY REALLY REALLY MUST NOT. (Technically SHA-1 is still safe for ephemeral signing, i.e. locations where an attacker can't spend arbitrary amounts of time working on precomputed data, which is most of TLS because of the nonces in the handshake and the fact that connections will quickly time out if nothing arrives, but since TLS 1.2 has SHA-2 built in already there's probably little point in separating out where SHA-1 is safe vs. where it isn't). Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
