Here's an attempt to define a SHA-2 alternative: https://tools.ietf.org/html/draft-wconner-blake2sigs-01
Cheers, Andrei -----Original Message----- From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Ilari Liusvaara Sent: Friday, December 15, 2017 6:31 AM To: Colm MacCárthaigh <c...@allcosts.net> Cc: tls@ietf.org Subject: Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS On Thu, Dec 14, 2017 at 05:05:37PM -0800, Colm MacCárthaigh wrote: > But I do think the question > is worth having an answer for. I think we *do* need to prepare for > turning off AES, there's always a chance we might have to. Even nastier dependency: SHA-2. If that breaks, currently both TLS 1.2 and 1.3 break. There are no alternatives defined. Yes, sure SHA-2 has taken a lot of cryptoanalysis without serious trouble (I think one reason for starting SHA-3 process was preceived weakness in SHA-2, that later turned out not to be the case). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Ftls&data=04%7C01%7CAndrei.Popov%40microsoft.com%7C22779f9a38834781928208d543c87f97%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636489450805010503%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=yVHsF021AGtXGR0DDpm2mV07gsCThPjk%2BGsDm8R4UyE%3D&reserved=0 _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls