Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fast-Track" draft

Brian Smith <> Fri, 19 February 2010 17:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 956893A8196 for <>; Fri, 19 Feb 2010 09:51:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6AQWAWnJQ2Na for <>; Fri, 19 Feb 2010 09:51:07 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 842803A81A6 for <>; Fri, 19 Feb 2010 09:51:07 -0800 (PST)
Received: from [] (unknown []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id ECB7322E1F1; Fri, 19 Feb 2010 12:52:47 -0500 (EST)
Message-ID: <>
Date: Fri, 19 Feb 2010 11:52:47 -0600
From: Brian Smith <>
User-Agent: Postbox 1.1.1 (Windows/20100208)
MIME-Version: 1.0
To: Stefan Santesson <>
References: <>
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------070206020609000402050600"
Cc: "Kemp, David P." <>,
Subject: Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fast-Track" draft
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 19 Feb 2010 17:51:08 -0000

Stefan Santesson wrote:
> Brian,
> The use of hash functions in this draft does not require collision 
> resistance.
> This is actually quite easy to prove.
Nobody is questioning that at all.

My points are:

1. As long as this web page on the NIST website says, basically, "don't 
use SHA-1 for anything," people will want to disable SHA-1 whenever they 
can. It doesn't matter that this page on the website isn't the official 
NIST recommendation on the matter. It doesn't matter that NIST 
recommendations are only binding for federal government work. It doesn't 
matter that the official NIST recommendation (SP 800-107) is more 
limited in its recommendations against SHA-1. People will still want to 
disable it. Like I said many messages before, even if it isn't a  
technical problem, it is a social problem. And, that problem can be 
easily avoided.

2. It doesn't make sense to require SHA-1 support to be added to 
implementations that don't need SHA-1 for any other purpose. TLS 1.2 
doesn't require SHA-1 for anything, so you can build a compliant and 
useful implementation without SHA-1 support. There are technical 
advantages to doing so. Obviously, this isn't practical for 
general-purpose web browsers, but it is practical for many other uses.

3. There are two simple alternatives that work: (a) mandate SHA2 instead 
of SHA1, at least for TLS 1.2+, or (b) avoid mandating any hashing at 
all by using opaque tokens.