IETF Logo Mail Archive

Re: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2

"Salz, Rich" <rsalz@akamai.com> Fri, 24 March 2017 12:37 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B5231297E6 for <tls@ietfa.amsl.com>; Fri, 24 Mar 2017 05:37:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JEaqaDkNY0SJ for <tls@ietfa.amsl.com>; Fri, 24 Mar 2017 05:37:33 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DC351296CF for <tls@ietf.org>; Fri, 24 Mar 2017 05:37:33 -0700 (PDT)
Received: from pps.filterd (m0050095.ppops.net [127.0.0.1]) by m0050095.ppops.net-00190b01. (8.16.0.20/8.16.0.20) with SMTP id v2OCbVUH030801 for <tls@ietf.org>; Fri, 24 Mar 2017 12:37:31 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=jan2016.eng; bh=no2JlMv9XWUnV6R4YZrrK5aoWkHRIQ8QUwexW14ILug=; b=IrXndzOcpvY/Cb0DJmbMdAEzvmLJxdAffo8b1YPNPFFoSD0ShcT1qyTNPGRkD7iP/8nm 8iPj1PgfiIUmqbAe2nydIfH4ZZsu8W3QFub55nuRdAw+Tm+46aTu2enAZJj/7dCyJ0H3 GSODbJNgPrX+1ItazdSxta0H62uypfQ2mfeEQfIL5g8z/j9OWu/1rZSzyaJZfrRyXRdl Si/fzw205gFLbjQUGMEZenwWD8leBOukXUA6785PTqmh3g/McMs1ZWa4NaEqdR634Nz3 UWjmDGRIZ3FgGH5088BlM8Iur4QJRt2F2zHGhs6m0CB2wa2odOjrQ1ab6ZFhUxcnXyzT xQ==
Received: from prod-mail-ppoint2 (a184-51-33-19.deploy.static.akamaitechnologies.com [184.51.33.19] (may be forged)) by m0050095.ppops.net-00190b01. with ESMTP id 29c9wsg8dn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <tls@ietf.org>; Fri, 24 Mar 2017 12:37:30 +0000
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.17/8.16.0.17) with SMTP id v2OCbGs1019250 for <tls@ietf.org>; Fri, 24 Mar 2017 08:37:28 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.31]) by prod-mail-ppoint2.akamai.com with ESMTP id 29b9ww8xdq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for <tls@ietf.org>; Fri, 24 Mar 2017 08:37:28 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb1.msg.corp.akamai.com (172.27.123.101) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Fri, 24 Mar 2017 08:37:27 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1178.000; Fri, 24 Mar 2017 08:37:27 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: TLS WG <tls@ietf.org>
Thread-Topic: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2
Thread-Index: AdKj4jdTMGBzllsXQzCZ8vwWateOaAAV7P7yAAlwAIAAB6SGgAAAhYSAAAbAPnA=
Date: Fri, 24 Mar 2017 12:37:26 +0000
Message-ID: <5fb32f1f5a054f739c3454642d4ee70e@usma1ex-dag1mb1.msg.corp.akamai.com>
References: <E6C9F0E527F94F4692731382340B337846DD1B@DENBGAT9EH2MSX.ww902.siemens.net> <1490317199552.71745@cs.auckland.ac.nz> <52C6D0EF-D6AC-484A-9096-BDAE5C870F82@dukhovni.org> <CABkgnnVS-0vh_fPVQVnq6YxxrYNQ1=+90Ct8CmUocJf7R6k4bA@mail.gmail.com> <7970606B-0096-475D-8842-2A14E5168413@dukhovni.org>
In-Reply-To: <7970606B-0096-475D-8842-2A14E5168413@dukhovni.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.32.234]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-24_11:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703240110
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-24_11:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703240110
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/S6hQmQJacWV2grg11Ljf-zCw2O4>
Subject: Re: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Mar 2017 12:37:35 -0000

> Sorry I meant to say multiple digest algorithms for otherwise identical chains
> (same public key algorithm and server name).

We used to have to do this, during the MD5-deprecation days.

v2.23.0 | Report a Bug | By Email