Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fast-Track" draft

Martin Rex <> Thu, 25 February 2010 20:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4524628C272 for <>; Thu, 25 Feb 2010 12:09:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.224
X-Spam-Status: No, score=-10.224 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hd0jV2sz2xdR for <>; Thu, 25 Feb 2010 12:09:34 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 9E06128C1EC for <>; Thu, 25 Feb 2010 12:09:32 -0800 (PST)
Received: from by (26) with ESMTP id o1PKBeGD015439 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 25 Feb 2010 21:11:40 +0100 (MET)
From: Martin Rex <>
Message-Id: <>
To: (Marsh Ray)
Date: Thu, 25 Feb 2010 21:11:39 +0100 (MET)
In-Reply-To: <> from "Marsh Ray" at Feb 24, 10 03:02:55 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal06
X-SAP: out
Subject: Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fast-Track" draft
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 25 Feb 2010 20:09:35 -0000

Marsh Ray wrote:
> > so if everyone thinks sha256 will be cryptographically
> > viable for the foreseeable future and SHA-1 will soon be impossible
> > to get "approved", then sha256 truncated to 64 bits could be a
> > reasonable MUST-support algorithm.
> Now you'll have to explain why you're taking the output of an
> industrial-strength hash function and throwing away 3/4 of it. :-) Plus,
> it's wasted effort since collisions will be possible to find in any
> 64-bit hash function.

The original purpose of this extension/proposal is to save network
bandwith on repeated _full_ TLS handshakes between peers and
where TLS session caching is not available for whatever reason.

In order to make clear that collision resistance of SHA-1 is
perfectly sufficient, I think the hash value should be
unconditionally truncated to, say, 128-bit (16 octets),
independent of which hash algorithm is used.  This would
also answer any question about whether SHA-1 is sufficient. It is.

Btw. the certificate fingerprinting and public key fingerprinting
algorithms currently also still use SHA-1 (e.g. rfc-5280

I firmly believe that "MUST support SHA-1" is perfectly fine for
this proposal and more than just "good enough" to ship it, provided
that both peers can reliably determine (negotiate) through the
Hello extension whether they support or prefer a newer/different
common hash algorithm before the client starts populating his cache.