> On 14 Mar 2017, at 23:29, Martin Thomson <martin.thom...@gmail.com> wrote: > > On 15 March 2017 at 08:26, Yoav Nir <ynir.i...@gmail.com> wrote: >> That is the document that was referenced by RFC 4492 and it’s from 1998. It >> doesn’t mention any hash function other than SHA-1. >> >> RFC 4492 said that other hash functions may be used. We’ve upgraded it to a >> SHOULD. > > In light of recent developments, is there any reason we couldn't > further upgrade this advice?
It might be better to rephrase the whole thing and eliminate the thing about a default. X9.62 has been revised in 2005. This newer version does mention the SHA-2 family in addition to SHA-1, so I don’t know it that is in any sense of the word still “the default”. I’d look it up, but as an ANSI standard, it’s behind a paywall. We might just say: OLD All ECDSA computations MUST be performed according to ANSI X9.62 or its successors. Data to be signed/verified is hashed, and the result run directly through the ECDSA algorithm with no additional hashing. The default hash function is SHA-1 [FIPS.180-2 <https://tools.ietf.org/html/draft-ietf-tls-rfc4492bis-15#ref-FIPS.180-2>], and sha_size (see Section 5.4 <https://tools.ietf.org/html/draft-ietf-tls-rfc4492bis-15#section-5.4> and Section 5.8 <https://tools.ietf.org/html/draft-ietf-tls-rfc4492bis-15#section-5.8>) is 20. However, an alternative hash function, such as one of the new SHA hash functions specified in FIPS 180-2 [FIPS.180-2 <https://tools.ietf.org/html/draft-ietf-tls-rfc4492bis-15#ref-FIPS.180-2>], SHOULD be used instead. NEW All ECDSA computations MUST be performed according to ANSI X9.62 or its successors. Data to be signed/verified is hashed, and the result run directly through the ECDSA algorithm with no additional hashing. A secure hash function such as the SHA-256, SHA-384, and SHA-512 [FIPS.180-4] MUST be used.
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls