On Thursday, September 01, 2016 02:30:54 pm Scott Fluhrer (sfluhrer) wrote: > > On Thursday, 1 September 2016 12:43:31 CEST Benjamin Kaduk wrote: > > > On 09/01/2016 12:38 PM, Hubert Kario wrote: > > > > The SHA-3 standard is already published and accepted[1], shouldn't > > > > TLSv1.3 include signatures with those hashes then? > > > > > > Why does it need to be part of the core spec instead of a separate > > document? > > > > because: we also are adding RSA-PSS to TLSv1.2 in this document, I don't see > > why it needs to be delayed. Finally, TLSv1.2 added SHA-2 just like that, it > > was > > not tacked on later. > > IIRC, SHA-2 was a special case; SHA-1 was demonstrated to be > cryptographically weaker than expected and so we needed to have a secure > alternative ASAP. > > The SHA-3 is not like that; there's no evidence that suggests that SHA-2 is > weak; the only incentive to implementing SHA-3 is "we'll, it is a standard, > and so we might as well support it".
The reason I see is that we currently specify exactly one valid hash algorithm (in a variety of sizes). The precedent argument is good enough for me. I think adding it in this document is definitely worth considering. I don't want to wait until SHA-2 is considered weak to provide an alternative, if we can avoid it. Dave _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls