On 6/8/19 3:29 PM, Russ Housley via Datatracker wrote:
In Section 3.2, SHA-256 is the only supported hash function. In some manner algorithm agility needs to be provided. This could be done by using the same hash function as TLS is negotiating elsewhere, by including a hash algorithm identifier, or explicitly stating that a new TLS extension will be defined for use with another hash function if flaws are found in SHA-256.
Addressing just this point, as I think it was an oversight. Section 3.2 contains the text:
Note: Should SHA-256 prove to be inadequate at some point in the future (see [AGILITY]), a new TLS extension can be defined that uses a different hash function.
/a
