Re: [TLS] Signature Algorithms
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 18 March 2015 03:07 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02B591A8A4A for <tls@ietfa.amsl.com>; Tue, 17 Mar 2015 20:07:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oJJqg8vDq6MJ for <tls@ietfa.amsl.com>; Tue, 17 Mar 2015 20:07:15 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 8F1751A8A3E for <tls@ietf.org>; Tue, 17 Mar 2015 20:07:15 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 037A7F984; Tue, 17 Mar 2015 23:07:12 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 0321A201D3; Tue, 17 Mar 2015 20:07:07 -0700 (PDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: "Mehner, Carl" <Carl.Mehner@usaa.com>, Eric Rescorla <ekr@rtfm.com>, Dave Garrett <davemgarrett@gmail.com>
In-Reply-To: <19075EB00EA7FE49AFF87E5818D673D411463AF8@PRODEXMB01W.eagle.usaa.com>
References: <19075EB00EA7FE49AFF87E5818D673D41145FB0C@PRODEXMB01W.eagle.usaa.com> <201503171341.40315.davemgarrett@gmail.com> <CABcZeBNoVPi-8peRsdjksew0XDv=DnBnrqupk3zWoe+WVHXwSA@mail.gmail.com> <19075EB00EA7FE49AFF87E5818D673D411463AF8@PRODEXMB01W.eagle.usaa.com>
User-Agent: Notmuch/0.18.2 (http://notmuchmail.org) Emacs/24.4.1 (x86_64-pc-linux-gnu)
Date: Tue, 17 Mar 2015 23:07:07 -0400
Message-ID: <87fv93knqc.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/B-fCykA2LPPrrBvyGOpeIQEWZGc>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Signature Algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2015 03:07:17 -0000
On Tue 2015-03-17 14:10:25 -0400, Mehner, Carl wrote: > I’m not arguing for TLS 1.3 to drop support for SHA-1 (that’s up to > the client configurer), I’m arguing for the TLS signature algorithms > extension to not specify the signature of a root. This same argument > applies for MD5 roots with long term SHA-1 end-entity certs. The signature algorithm used in the self-signature a root certificate shouldn't be relevant anywhere. The root is either already trusted by the peer (or identified via DANE-TA, in which case the digest restrictions belong in DANE), or it is not. TLS peers should never reject root certs on the grounds of the digest algorithm within the root cert itself. --dkg
- [TLS] Signature Algorithms Mehner, Carl
- Re: [TLS] Signature Algorithms Eric Rescorla
- Re: [TLS] EXTERNAL: Re: Signature Algorithms Mehner, Carl
- Re: [TLS] Signature Algorithms Dave Garrett
- Re: [TLS] Signature Algorithms Hubert Kario
- Re: [TLS] Signature Algorithms Viktor Dukhovni
- Re: [TLS] Signature Algorithms Viktor Dukhovni
- Re: [TLS] Signature Algorithms Dave Garrett
- Re: [TLS] Signature Algorithms Viktor Dukhovni
- Re: [TLS] Signature Algorithms Mehner, Carl
- Re: [TLS] Signature Algorithms Daniel Kahn Gillmor