> On 5 Sep 2016, at 11:17 AM, Nikos Mavrogiannopoulos <n...@redhat.com> wrote: > > On Fri, 2016-09-02 at 10:04 -0700, Eric Rescorla wrote: > >>>> I also am not following why we need to do this now. The reason we >>> defined SHA-2 in >>>> a new RFC was because (a) SHA-1 was looking weak and (b) we had >>> to make significant >>>> changes to TLS to allow the use of SHA-2. This does not seem to >>> be that case. >>> >>> I don't think we strictly _need_ to do this now, however I think >>> it's a good idea given that we'll need to do it eventually >> >> I'm not sure that that's true. > > It is unclear to me what is the intention. Due to the semantics of the > signatureAlgorithms extension in TLS 1.3, if the TLS 1.3 draft doesn't > define SHA3, it effectively _bans_ the usage of SHA3 in all certificate > chains intended to be used by TLS 1.3. If that's the intention then > yes, SHA3 should not be included.
I don’t think that’s anyone’s intention. > In that case implementations of TLS 1.3 will have to wait for a SHA3 > RFC to be published in order to enable the algorithm. That would > introduce a delay, and in certain occasions (e.g., firmware) we will > have TLS 1.3 implementations which may never support SHA3. Not necessarily. If you write a SHA-3 document now, and it is simple as such documents tend to be, it could go through the last calls before the TLS 1.3 document. If it makes a reference to the TLS 1.3 document it will end up waiting for TLS 1.3 in the RFC editor’s queue. The upside is that this adds support for SHA-3 certificates even for TLS 1.2 implementations, which makes sense to me. If there are SHA-3 certificates out there, their use and deployment should not depend on TLS 1.3 implementations. > IMO, unless there are doubts about SHA3's adoption as a certificate > algorithm, it should be part of the TLS 1.3 spec. I have doubts. If you’re a CA and you’re going to issue a certificate, are you going to use SHA-2 that is supported by nearly everything, or SHA-3 that is supported by nothing. How about in 5 years when SHA-3 is supported by all updated browsers, but not by old browsers and dozens of different programmatic clients? Besides, maybe we’ll all be using EdDSA and won’t need a hash at all. I think the hard part for SHA-3 is not using it as a certificate hash but using it as a PRF. Yoav _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls