[gnutls-devel] moving out from SHA1

[Nikos Mavrogiannopoulos]

Hi,
 Given the first found collision for SHA1, I think it is time to plan
removing it from the trusted set. I do not believe we can do that
today in existing releases, as there is simply too much stuff relying
SHA1. Even for the web PKI which the transition from SHA1 was already
in place, major sites like amazon.com today provide an OCSP response
signed with RSA-SHA1.

So what I propose, is remove sha1 from the trusted set in gnutls 3.6.0
(to be released the second half of this year). That release will
forbid SHA1 from any operation unless special flags to indicate that
broken algorithms are allowed are set. My intention is not to
introduce a new flag to allow SHA1, but utilize the catch-all allow
broken algorithms flag.

In 3.5.x we forbid SHA1 for certificate verification in TLS, for the
NORMAL and above levels, in one of the next few releases (3.5.10 or
3.5.11), but still allow it for TLS handshake signatures. That is, we
take advantage of the verifcation PROFILEs associated with a priority
string keyword, and even though SHA1 is in general acceptable, it will
be refused for certificate verification. At the same time it will
allow applications which rely on SHA1 to continue function, as well as
connection to old servers which use TLS signatures with SHA1 (maybe
even treat OCSP differently to avoid breaking examples with amazon as
above).

6 months to a year later port that to the 3.3.x branch.

What do you think?

regards,
Nikos