drop SHA1 signatures & note DSA as NOT RECOMMENDED

The new default hash for the extensionless case is now SHA-256.

draft-ietf-tls-tls13.md

@@ -323,7 +323,7 @@ draft-07
 
 - Remove support for weak and lesser used named curves.
 
-- Remove support for MD5 and SHA-224 hashes with signatures.
+- Remove support for MD5, SHA-1, and SHA-224 hashes with signatures.
 
 
 draft-06
@@ -2093,9 +2093,7 @@ which signature/hash algorithm pairs may be used in digital signatures. The
 %%% Signature Algorithm Extension
        enum {
            none(0),
-           md5_RESERVED(1),
-           sha1(2),
-           sha224_RESERVED(3),
+           md5_RESERVED(1), sha1_RESERVED(2), sha224_RESERVED(3),
            sha256(4), sha384(5), sha512(6),
            (255)
        } HashAlgorithm;
@@ -2125,18 +2123,23 @@ hash
   SHA-224, SHA-256, SHA-384, and SHA-512 {{SHS}}, respectively.  The
   "none" value is provided for future extensibility, in case of a
   signature algorithm which does not require hashing before signing.
-  The usage of MD5 and SHA-224 are deprecated. The md5_RESERVED and
-  sha224_RESERVED values MUST NOT be offered or negotiated by any
-  implementation.
+  The usage of MD5, SHA-1, and SHA-224 are deprecated. The md5_RESERVED,
+  sha1_RESERVED, and sha224_RESERVED values MUST NOT be offered or
+  negotiated by any implementation.
 
 signature
 : This field indicates the signature algorithm that may be used.
   The values indicate anonymous signatures, RSASSA-PKCS1-v1_5
   {{RFC3447}} and DSA {{DSS}}, and ECDSA {{ECDSA}}, respectively.  The
   "anonymous" value is meaningless in this context but used in
   {{server-key-share}}.  It MUST NOT appear in this extension.
+  DSA is considered obsolete and its usage is currently NOT RECOMMENDED.
 {:br }
 
+If an endpoint receives a "signature_algorithms" extension with a deprecated
+value, it MUST respond with an "insufficient_security" alert and close the
+connection.
+
 The semantics of this extension are somewhat complicated because the cipher
 suite indicates permissible signature algorithms but not hash algorithms.
 {{server-certificate}} and {{server-key-share}} describe the
@@ -2153,16 +2156,16 @@ If the client does not send the "signature_algorithms" extension, the server MUS
 do the following:
 
 - If the negotiated key exchange algorithm is one of (DHE_RSA, ECDHE_RSA),
-  behave as if client had sent the value {sha1,rsa}.
+  behave as if client had sent the value {sha256,rsa}.
 
 - If the negotiated key exchange algorithm is DHE_DSS,
-  behave as if the client had sent the value {sha1,dsa}.
+  behave as if the client had sent the value {sha256,dsa}.
 
 - If the negotiated key exchange algorithm is ECDHE_ECDSA,
-  behave as if the client had sent value {sha1,ecdsa}.
+  behave as if the client had sent value {sha256,ecdsa}.
 
 Note: This extension is not meaningful for TLS versions prior to 1.2. Clients
-MUST NOT offer it if they are offering prior versions. However, even if clients
+SHOULD NOT offer it if they are offering prior versions. However, even if clients
 do offer it, the rules specified in {{RFC6066}} require servers to ignore
 extensions they do not understand.