cacert-sysadm AT lists.cacert.org
Subject: CAcert System Admins discussion list
List archive
- From: "Ian G (Audit)" <iang AT cacert.org>
- To: CAcert Board <cacert-board AT lists.cacert.org>, CAcert System Administrators <cacert-sysadm AT lists.cacert.org>
- Subject: [Cacert-sysadm] ...SHA-1 considered harmful tomorrow
- Date: Sun, 25 Jan 2009 13:09:09 +0100
- List-archive: <http://lists.cacert.org/pipermail/cacert-sysadm>
- List-id: CAcert System Admins discussion list <cacert-sysadm.lists.cacert.org>
More on that "SHA1 disaster brewing" thing. My today understanding (wait until monday before challenging ...) is:
* servers (all) need to support TLS1.2 before the old hash family is gone.
* clients (all) need to support old hash family until the servers stop serving TLS1.1
* servers won't stop before clients stop before servers stop...
* Apache httpd won't handle SHA2 certs any time soon
* SHA2 is off the agenda?
* might want to stick a nonce in each cert?
-------- Original Message --------
Subject: Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow
Date: Fri, 23 Jan 2009 09:23:05 -0800
From: Eric Rescorla
<ekr AT networkresonance.com>
[snip]
Nearly all the changes to TLS between 1.1 and 1.2 were specifically designed to accomodate new digest algorithms throughout the protocol.
For those of you who aren't TLS experts, TLS had MD5 and SHA-1 wired all throughout the protocol and we had to arrange to strip them out, plus find a way to signal that you were willing to support the newer algorithms. To avoid this becoming a huge pile of hacks, we had to restructure some of the less orthogonal negotiation mechanisms. The other major (and totally optional) change was the addition of combined cipher modes like GCM. That change was made primarily because we were in there and there was some demand for those modes. So, no, I don't consider these changes "gratuitous", though of course they are incompatible. Yes, there were simpler things we could have done, such as just specifying a new set of fixed digest algorithms to replace MD5 and SHA-1, but I and others felt that this was unwise from a futureproofing perspective.
Yes, the changes between TLS 1.1 and TLS 1.2 are about as big as those
between SSL and TLS. I'm not particularly happy about that either, but
it's what we felt was necessary to do a principled job.
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
majordomo AT metzdowd.com
- [Cacert-sysadm] ...SHA-1 considered harmful tomorrow, Ian G (Audit), 01/25/2009
Archive powered by MHonArc 2.6.16.