Document problems with SHA-1 in certs with DANE-TA

Very few domains are using SHA-1 in EE certs issued from a CA used in
DANE-TA anchoring, but some are.  Meanwhile apparently GnuTLS now
defaults to disabling SHA-1 in chains.  Which is eminently reasonable.

I do not believe that Exim should re-enable use of SHA-1 here.  Let it
die.  Document with warnings that folks using a private CA for certs to
be publicly trusted via DANE-TA should follow decent operational
issuance practices.

Also update my Channel Binding docs for GSASL to warn that Channel
Binding is Broken™.

0 files changed, 0 insertions, 0 deletions