Re: [TLS] SHA-3 in SignatureScheme

"Blumenthal, Uri - 0553 - MITLL" <> Fri, 02 September 2016 13:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C61DC12D87F for <>; Fri, 2 Sep 2016 06:29:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.747
X-Spam-Status: No, score=-4.747 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.548, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DnN5KS0SeCnj for <>; Fri, 2 Sep 2016 06:29:30 -0700 (PDT)
Received: from (LLMX2.LL.MIT.EDU []) by (Postfix) with ESMTP id 8E37C12D87C for <>; Fri, 2 Sep 2016 06:29:30 -0700 (PDT)
Received: from ( by (unknown) with ESMTP id u82DPoaa006575; Fri, 2 Sep 2016 09:25:50 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <>
To: Ilari Liusvaara <>, Hubert Kario <>
Thread-Topic: [TLS] SHA-3 in SignatureScheme
Thread-Index: AdIFHgf/OWP+vPLKs0GIS/iOWjsWWg==
Date: Fri, 2 Sep 2016 13:29:28 +0000
Message-ID: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="===============1684456817=="
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-09-02_04:, , signatures=0
X-Proofpoint-Spam-Details: rule=inbound_notspam policy=inbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1609020179
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] SHA-3 in SignatureScheme
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 02 Sep 2016 13:29:33 -0000

Speaking of PRF hash, I want to bring up the fact that‎ SHA-3 is a better PRF by design, as that was one of the explicitly stated competition requirements (unlike MD*, SHA-1, and SHA-2).

Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.
  Original Message  
From: Ilari Liusvaara
Sent: Friday, September 2, 2016 06:44
To: Hubert Kario
Subject: Re: [TLS] SHA-3 in SignatureScheme

On Fri, Sep 02, 2016 at 12:08:47PM +0200, Hubert Kario wrote:
> On Thursday, 1 September 2016 19:22:18 CEST Dave Garrett wrote:
> >
> > The reason I see is that we currently specify exactly one valid hash
> > algorithm (in a variety of sizes). The precedent argument is good enough
> > for me. I think adding it in this document is definitely worth considering.
> > I don't want to wait until SHA-2 is considered weak to provide an
> > alternative, if we can avoid it.
> I've created a PR for it:
> I haven't changed any recommendations, the recommended hashes to implement are 
> still SHA-2 based, and I don't think we should change that given that 
> certificates just now are transitioning to SHA-256 because of incompatibility 
> fears.

Just tweaking the signatures is not enough. There is also the PRF hash,
and using weak hash there has, umm... rather bad consequences.

I also don't see why this should be in TLS 1.3 spec, instead of being
its own spec (I looked up how much process BS it would be to get the
needed registrations: informative RFC would do).


TLS mailing list