I had suggested two additions, for which there has been no decision yet. I would like to see more discussion on these.
1. Usage of Extension SignatureAlgorithms by client to signal minimum required hash functions. Ralph's feedback on that suggestion was that we need more data on the extend of SHA-2 support by current and future implementations. But I think it's not just about migrating to SHA-2 it could also be useful to prevent usage of MD5. 2. When re-using keys for ECDHE (which is the default behavior in some implementations, e.g. OpenSSL) or when using non-ephemeral ECDH, the validity of the received public DH-key should be checked to avoid non-group attacks. That is, it should be checked that the received point P is on the curve (unless point compression was used). Small subgroup checks could even be recommended for classical DH. Something in the spirit of RFC 6989. -- Johannes _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta