IETF Logo Mail Archive

Re: [TLS] DSS with other than SHA-1 algorithms

Jack Lloyd <lloyd@randombit.net> Mon, 09 May 2011 20:15 UTC

Return-Path: <lloyd@randombit.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E292E0723 for <tls@ietfa.amsl.com>; Mon, 9 May 2011 13:15:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Level:
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A3FfgrrZqa3x for <tls@ietfa.amsl.com>; Mon, 9 May 2011 13:15:43 -0700 (PDT)
Received: from chihiro.randombit.net (chihiro.randombit.net [69.48.226.76]) by ietfa.amsl.com (Postfix) with ESMTP id 58FB7E06EC for <tls@ietf.org>; Mon, 9 May 2011 13:15:43 -0700 (PDT)
Received: by chihiro.randombit.net (Postfix, from userid 1000) id E8C622F000C6; Mon, 9 May 2011 16:05:43 -0400 (EDT)
Date: Mon, 09 May 2011 16:05:43 -0400
From: Jack Lloyd <lloyd@randombit.net>
To: tls@ietf.org
Message-ID: <20110509200543.GW30682@randombit.net>
Mail-Followup-To: tls@ietf.org
References: <4DC12D35.1040805@iki.fi> <E1QJR0o-0003ui-Tx@login01.fos.auckland.ac.nz>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <E1QJR0o-0003ui-Tx@login01.fos.auckland.ac.nz>
X-PGP-Fingerprint: 3F69 2E64 6D92 3BBE E7AE 9258 5C0F 96E8 4EC1 6D6B
X-PGP-Key: http://www.randombit.net/pgpkey.html
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [TLS] DSS with other than SHA-1 algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 May 2011 20:15:44 -0000

On Tue, May 10, 2011 at 02:00:38AM +1200, Peter Gutmann wrote:
> 
> "Implemented in the client" != "used" though.  The only hard data that we have
> at the moment, the SSL Observatory, indicates:
> 
> Number of deployed DSA TLS servers with certs chaining to a trusted root: 25
> Number "  " ECC  "  "  ": Zero
> Number "  " RSA  "  "  ": Millions

So, nobody at all has an ECDSA certificate, but it makes sense to only
assign ciphersuites to algorithm sets that require ECDSA certificates
because that is the common case?  I'm having difficult reconciling
the above information with the apparent intent of the i-d.

-Jack

v2.23.0 | Report a Bug | By Email