git://git.exim.org / users / heiko / exim.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 5ffb5d8) | patch
Document problems with SHA-1 in certs with DANE-TA
authorPhil Pennock <pdp@exim.org>
Tue, 10 Jul 2018 18:35:58 +0000 (14:35 -0400)
committerPhil Pennock <pdp@exim.org>
Tue, 10 Jul 2018 18:35:58 +0000 (14:35 -0400)
commit51701a1d07f0d9799dae7db4c2b44c1cbbf17d73
tree274376b87ae8282aee771736873e10e7b20cc054tree | snapshot
parent5ffb5d81efc6b1d805885252b7ae772b7c2c1b4ccommit | diff
Document problems with SHA-1 in certs with DANE-TA

Very few domains are using SHA-1 in EE certs issued from a CA used in
DANE-TA anchoring, but some are.  Meanwhile apparently GnuTLS now
defaults to disabling SHA-1 in chains.  Which is eminently reasonable.

I do not believe that Exim should re-enable use of SHA-1 here.  Let it
die.  Document with warnings that folks using a private CA for certs to
be publicly trusted via DANE-TA should follow decent operational
issuance practices.

Also update my Channel Binding docs for GSASL to warn that Channel
Binding is Broken™.
doc/doc-docbook/spec.xfpt diff | blob | history
doc/doc-txt/GnuTLS-FAQ.txt diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.