On Sat, May 04, 2019 at 09:00:17AM -0400, Kathleen Moriarty wrote: > On Fri, May 3, 2019 at 10:46 PM Peter Gutmann <pgut...@cs.auckland.ac.nz> > wrote: > > > Kathleen Moriarty <kathleen.moriarty.i...@gmail.com> writes: > > > > >MD5 is not discussed in the current version of RFC7525. > > > > I would add it, if this is guidance for general use then it should cover > > all > > the bases, if SHA-1 is a MUST NOT then MD5 is a REALLY REALLY REALLY MUST > > NOT. > > > > (Technically SHA-1 is still safe for ephemeral signing, i.e. locations > > where > > an attacker can't spend arbitrary amounts of time working on precomputed > > data, > > which is most of TLS because of the nonces in the handshake and the fact > > that > > connections will quickly time out if nothing arrives, but since TLS 1.2 has > > SHA-2 built in already there's probably little point in separating out > > where > > SHA-1 is safe vs. where it isn't). > > > > Sure, I agree, but needed to look through prior documents first. Since it > wasn't in RFC7525 as a recommendation and the minimum baseline was above > MD5, I suspect that is why it is not mentioned. If there is support (and > no disagreements) the text above could be added and include SHA-1 and MD5 > MUST NOT be used. The minimum baseline is already set above it though in > the statement. > > WG decision is appreciated on this point and proposed text for RFC 7525. > > Proposed: > > When using RSA, servers SHOULD authenticate using certificates with > at least a 2048-bit modulus for the public key. In addition, the use > of the SHA-256 hash algorithm is the minimum requirement, SHA-1 and > MD5 MUST not be used (see [CAB-Baseline > <https://tools.ietf.org/html/rfc7525#ref-CAB-Baseline>] for > more details). Clients SHOULD indicate to servers that they request > SHA-256, by using the "Signature Algorithms" extension defined in > TLS 1.2.
We'd probably want to wordsmith it a bit more, as there's not exactly a strict ordering on hash function strength, and "minimum requirement" could be taken to mean "MUST use SHA-256", which is presumably not the intent. -Ben _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
