On Tuesday, 19 July 2022 at 08:42 Thomas Fossati <thomas.foss...@arm.com> wrote: > Hi Rob, Peter, > > On Thursday, 14 July 2022 at 16:07, Peter Saint-Andre <stpe...@stpeter.im> > wrote: > > On 7/14/22 3:37 AM, Robert Wilton via Datatracker wrote: > > > (4) > > > When using RSA, servers MUST authenticate using certificates > > > with at least a 2048-bit modulus for the public key. In > > > addition, the use of the SHA-256 hash algorithm is RECOMMENDED > > > and SHA-1 or MD5 MUST NOT be used ([RFC9155], and see > > > [CAB-Baseline] for more details). > > > > > > So, for clarity, this would presumably mean that SHA-256 is also > > > preferred over say SHA-512? Is that the intention? Or would it > > > be better if the SHOULD allowed stronger ciphers? > > > > I think we should probably say "SHA-256 or stronger", but again I'd > > like to see what my co-authors think. > > My two cents on this point. > > Readers are always free to choose stronger algorithms if they want to. > However, in this case I don't see a good reason for doing so: if your > threat model involves an adversary with a quantum computer, 256 is as
s/involves/does not involve/ apologies for the confusion. > good as 384 or 512, but it's more concise. So, if your cert is > short-lived, going higher than 256 does not provide any real > advantage. > > If one's cert's notAfter is distant enough that they should start > worrying about the reality of a quantum adversary, then I think the > whole advice in this section would need a massive revamp :-) > > cheers, t IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
