IETF Logo Mail Archive

Re: [TLS] DSS with other than SHA-1 algorithms

Simon Josefsson <simon@josefsson.org> Thu, 07 April 2011 06:14 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2CB0D3A6863 for <tls@core3.amsl.com>; Wed, 6 Apr 2011 23:14:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.147
X-Spam-Level:
X-Spam-Status: No, score=-103.147 tagged_above=-999 required=5 tests=[AWL=-0.548, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E0AHf9filrWJ for <tls@core3.amsl.com>; Wed, 6 Apr 2011 23:14:36 -0700 (PDT)
Received: from yxa-v.extundo.com (yxa-v.extundo.com [213.115.69.139]) by core3.amsl.com (Postfix) with ESMTP id B44923A680B for <tls@ietf.org>; Wed, 6 Apr 2011 23:14:35 -0700 (PDT)
Received: from latte.josefsson.org (c80-216-4-108.bredband.comhem.se [80.216.4.108]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id p376FGYf031601 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 7 Apr 2011 08:15:19 +0200
From: Simon Josefsson <simon@josefsson.org>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
References: <BANLkTikP0kAEkFJ91x09GpyMCBAmVGAiQQ@mail.gmail.com> <E1Q7gEL-0001Q1-Vi@login01.fos.auckland.ac.nz>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:110407:tls@ietf.org::8hKmi8+WHjaDCg9Z:1Frr
X-Hashcash: 1:22:110407:pgut001@cs.auckland.ac.nz::6I/OCHLKR0C3U5Us:2vgp
X-Hashcash: 1:22:110407:hovav@cs.ucsd.edu::bCrn7eZ1Xk2E416u:JlRo
Date: Thu, 07 Apr 2011 08:15:16 +0200
In-Reply-To: <E1Q7gEL-0001Q1-Vi@login01.fos.auckland.ac.nz> (Peter Gutmann's message of "Thu, 07 Apr 2011 15:50:01 +1200")
Message-ID: <878vvmy4cr.fsf@latte.josefsson.org>
User-Agent: Gnus/5.110016 (No Gnus v0.16) Emacs/23.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: clamav-milter 0.97 at yxa-v
X-Virus-Status: Clean
Cc: tls@ietf.org
Subject: Re: [TLS] DSS with other than SHA-1 algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2011 06:14:37 -0000

Peter Gutmann <pgut001@cs.auckland.ac.nz> writes:

> Hovav Shacham <hovav@cs.ucsd.edu> writes:
>
>>How about we remove DSA support from TLS, then?
>
> Possibly a bit extreme, but we could at least mark it "historical" or 
> "deprecated" or something.  In fact we could do that for an awful lot of 
> existing cipher suites.  Note that this isn't changing the standard in any 
> way, it's just documenting what's already the norm among implementations.  If 
> a cipher suite's been in there for ten years and there are, approximately, 
> zero cases of it being used, then saying "Don't bother with this one" in order 
> to help guide implementers seems sensible.

Unfortunately I think DSA is still mandatory-to-implement in some
protocols.  That makes it a bit more complicated, but still doable.

/Simon

v2.23.0 | Report a Bug | By Email