On Mon, May 6, 2019 at 10:39 AM Benjamin Kaduk <bka...@akamai.com> wrote:
> On Sat, May 04, 2019 at 09:00:17AM -0400, Kathleen Moriarty wrote: > > On Fri, May 3, 2019 at 10:46 PM Peter Gutmann <pgut...@cs.auckland.ac.nz > > > > wrote: > > > > > Kathleen Moriarty <kathleen.moriarty.i...@gmail.com> writes: > > > > > > >MD5 is not discussed in the current version of RFC7525. > > > > > > I would add it, if this is guidance for general use then it should > cover > > > all > > > the bases, if SHA-1 is a MUST NOT then MD5 is a REALLY REALLY REALLY > MUST > > > NOT. > > > > > > (Technically SHA-1 is still safe for ephemeral signing, i.e. locations > > > where > > > an attacker can't spend arbitrary amounts of time working on > precomputed > > > data, > > > which is most of TLS because of the nonces in the handshake and the > fact > > > that > > > connections will quickly time out if nothing arrives, but since TLS > 1.2 has > > > SHA-2 built in already there's probably little point in separating out > > > where > > > SHA-1 is safe vs. where it isn't). > > > > > > > Sure, I agree, but needed to look through prior documents first. Since > it > > wasn't in RFC7525 as a recommendation and the minimum baseline was above > > MD5, I suspect that is why it is not mentioned. If there is support > (and > > no disagreements) the text above could be added and include SHA-1 and MD5 > > MUST NOT be used. The minimum baseline is already set above it though in > > the statement. > > > > WG decision is appreciated on this point and proposed text for RFC 7525. > > > > Proposed: > > > > When using RSA, servers SHOULD authenticate using certificates with > > at least a 2048-bit modulus for the public key. In addition, the use > > of the SHA-256 hash algorithm is the minimum requirement, SHA-1 and > > MD5 MUST not be used (see [CAB-Baseline > > <https://tools.ietf.org/html/rfc7525#ref-CAB-Baseline>] for > > more details). Clients SHOULD indicate to servers that they request > > SHA-256, by using the "Signature Algorithms" extension defined in > > TLS 1.2. > > We'd probably want to wordsmith it a bit more, as there's not exactly a > strict ordering on hash function strength, and "minimum requirement" > could be taken to mean "MUST use SHA-256", which is presumably not the > intent. > If this goes in, suggestions are welcome as we're trying to wrap this up. If it's a separate document, then I think we're done with the last call comments. Thanks, Kathleen > > -Ben > -- Best regards, Kathleen
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
