[TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms

Kurt Roeckx <kurt@roeckx.be> Mon, 11 January 2016 18:30 UTC

Return-Path: <kurt@roeckx.be>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 3625E1A01C6 for <tls@ietfa.amsl.com>; Mon, 11 Jan 2016 10:30:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.002
X-Spam-Status: No, score=-0.002 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id uFiQqsmj-_vM for <tls@ietfa.amsl.com>; Mon, 11 Jan 2016 10:30:20 -0800 (PST)
Received: from excelsior.roeckx.be (excelsior.roeckx.be [IPv6:2a01:70:ffff:1::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 745B91A01A2 for <tls@ietf.org>; Mon, 11 Jan 2016 10:30:20 -0800 (PST)
Received: from intrepid.roeckx.be (localhost []) by excelsior.roeckx.be (Postfix) with ESMTP id 36486A8A166A for <tls@ietf.org>; Mon, 11 Jan 2016 18:30:18 +0000 (UTC)
Received: by intrepid.roeckx.be (Postfix, from userid 1000) id 093181FE0748; Mon, 11 Jan 2016 19:30:17 +0100 (CET)
Date: Mon, 11 Jan 2016 19:30:17 +0100
From: Kurt Roeckx <kurt@roeckx.be>
To: tls@ietf.org
Message-ID: <20160111183017.GA12243@roeckx.be>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/QjYaoOitdQCOg1hdNTAdsD2Bb4M>
Subject: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jan 2016 18:30:22 -0000


After the SLOTH paper, we should think about starting to deprecate
TLS 1.0 and TLS 1.1 and the SHA1 based signature algorithms in TLS

As I understand it, they estimate that both TLS 1.2 with SHA1 and
TLS 1.0 and 1.1 with MD5|SHA1 currently require about 2^77 to be
broken.  They all depend on the chosen prefix collision on SHA1,
with the MD5 part in TLS 1.0 and 1.1 not adding much.

It seems that disabling SHA1 in TLS 1.2 doesn't buy you anything
unless you also disable TLS 1.0 and 1.1.