In message <[email protected]>, Viktor Dukhovni writ es: > On Mon, Mar 24, 2014 at 06:25:57AM +1100, Mark Andrews wrote: > > > > Site A only publishes SHA1 entries. Would rather do unauthenticated TLS > > > than trust SHA1? > > > > You left out - report and refuse to send until fixed. > > Broken is not a binary state. Before previously reasonably sound > algorithms are fully broken, they are first tarnished, and our > confidence in their strength begins to fray. > > Refuse to send is a strong reaction, when an algorithm is only > tarnished, with no known practical attacks, but known signs of > weakness. Have you disabled RC4 in your browser yet? If not, your > rather principled stand is "do as I say, not do I as do". > > > > Site B publishes both SHA2-512 and SHA1 entries. Would you still want > > > to trust SHA1? > > > > Once you decide SHA1 is not acceptable you ignore the records with SHA1 > > hashes. > > A flag day, one can sensibly avoid, by incrementally phasing out > (hypothetically) SHA1 as server publish stronger records that include > (hypothetically) SHA1 to accommodate weaker clients in addition to stronger > digests. > > > Publishing new hashes is trivial and will remain trivial. > > Flag days remain a major deployment problem. > > > Once a algorithm has reached the state where you don't trust it for a > > purpose you don't use it for that purpose. > > That's fine, except at Internet scale. Windows 2003 servers still > top out at RC4-SHA1, and at least Exchange 2003 has a broken 3DES > implementation. Many server operators only enable RC4 for > performance reasons.
And the reason for that is that is that Microsoft has no presure on it to release service packs with newer algorithms as clients fall back to the known too weak algorithms. The clients are not getting the security they think they are. What Microsoft should do is release updated clients that do not support RC4 and also release server packs which support newer algorithms. > When exactly should you or I disable RC4-SHA1 support? Fortunately > in TLS cipher suites are negotiated. I am trying to do the same > for DANE. There is NOTHING preventing implementations from ranking hash algorithms. There is NOTHING preventing implementations from having a accept/reject. There is no reason to REQUIRE implementations to ranking hash algorithms. Supporting out of date clients does a disservice to both yourself and them. > -- > Viktor. > > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
