On Sat, May 4, 2019, at 23:01, Kathleen Moriarty wrote: > WG decision is appreciated on this point and proposed text for RFC 7525. > > Proposed: When using RSA, servers SHOULD authenticate using > certificates with > at least a 2048-bit modulus for the public key. In addition, the use > of the SHA-256 hash algorithm is the minimum requirement, SHA-1 and > MD5 MUST not be used (see [CAB-Baseline > <https://tools.ietf.org/html/rfc7525#ref-CAB-Baseline>] for > more details). Clients SHOULD indicate to servers that they request > SHA-256, by using the "Signature Algorithms" extension defined in > TLS 1.2.
Whether the chairs want this here or in a new thread, I fully endorse this. I don't think that I can safely turn SHA-1 off today, but it's definitely on the list. We don't even have code for MD5 in the stack any more, except for the weird paired hash thing in TLS <1.2. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
