> On Oct 22, 2015, at 2:18 PM, Andrei Popov <andrei.po...@microsoft.com> wrote:
>
> What if we just made an explicit exception for root cert hash algorithms and
> not constrained them by the client's alg list?
Yes, that would be substantially less bad. I still don't see any compelling
reason to shift chain validation policy from the verifying peer (typically
client) to the subject (typically server). The subject supplies its
credentials good or bad, and the *verifier* enforces the right policy.
Indeed if we rely on servers never sending weak creds, clients might be lazy
and vulnerable by not checking that they got strong creds. The enforcement
belongs in the verifier.
And yes, to repeat agreement with Andrei's specific point, exempting root-CA
self-signatures would be substantially less bad than disallowing various
signature algorithms globally.
--
Viktor.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
