[TLS] More flexible signature_algorithm selection for Delegated Credentials

Nick Sullivan <nick@cloudflare.com> Thu, 21 November 2019 03:55 UTC

Return-Path: <nick@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 446651209F5 for <tls@ietfa.amsl.com>; Wed, 20 Nov 2019 19:55:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wq9Kpe2HLkEF for <tls@ietfa.amsl.com>; Wed, 20 Nov 2019 19:55:00 -0800 (PST)
Received: from mail-vk1-xa31.google.com (mail-vk1-xa31.google.com [IPv6:2607:f8b0:4864:20::a31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D827C12098F for <tls@ietf.org>; Wed, 20 Nov 2019 19:54:59 -0800 (PST)
Received: by mail-vk1-xa31.google.com with SMTP id e205so406364vke.2 for <tls@ietf.org>; Wed, 20 Nov 2019 19:54:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=K8RMl82C1JBHRYMT2u7TcoRzgcQDEFqeSEELNZ1ZmhI=; b=XVcNbt7qbdqJD//CxqOYpG0M1AocHOevB8Ke/bp/0O5ih23aXaF6RG6vf0R2eBeCxB W0d8Q6yWqomY+wbaqoCgvbjDg7COYeKNGTXGUGWd+xd+ZhgWEyQAzAcQncRbt9My1YA1 h7NzYxyrYpy+C9jrLx73MV5whCwfS9NWerfZo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=K8RMl82C1JBHRYMT2u7TcoRzgcQDEFqeSEELNZ1ZmhI=; b=LSugbLxRwAJuDo4EezVyJHsYqTKt1P/Ogs8UmkSdFLG5DX/0O87CZpIJCSj0OZl6eR GrHxaL0fsE8QR6RnVE547v2TnJ9bpv3SDI6y4gMJM5vHVmTXHRxpxYc2UVBDzwIXb/DL QmeqMubLNtMVv8SJ8b1qOCNvnU/wwYVEhhoS+docBgdz9QsEbXuguoGJCY9dlyaBoQmC j9pveRJ1gdp4aS3SXcF855HQiVU8HupKinhxj0lAecLc25TmlkWkclE0+gJBqYQqhxtt jBumtmIDhqHBEZrOmF9UHq1FgNvIslDphTgQVv6HLtZLVLBxFPfwLXxrmLBUWrtELOT3 Gsgg==
X-Gm-Message-State: APjAAAVmjSZJSc3Oer1kG0d0LyCAPTMR3AZZ5h0euHkd1uvkOB1B/oNI CfSZok+bqXmkZwpZ/cj8DFGijdlu2PcIv+gDR1IgYKWZlsfDLVqV
X-Google-Smtp-Source: APXvYqx6H/r23ATgDpWxTOp7NQGYPGboeExe1qtWQEHNoSqv/GRau6zkoWa1mRtF0PZhpzUyNtJgcAkVJaoOAkl3bRI=
X-Received: by 2002:a1f:5f08:: with SMTP id t8mr4304454vkb.87.1574308498450; Wed, 20 Nov 2019 19:54:58 -0800 (PST)
MIME-Version: 1.0
From: Nick Sullivan <nick@cloudflare.com>
Date: Thu, 21 Nov 2019 11:54:42 +0800
Message-ID: <CAFDDyk-axXWM3x5-pqzDb933RviqZz0_Xy1+XGUME_0UtRugnA@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d164bf0597d342a4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-0cPOEyQSJ4FQ79a8dv-4ro3NE0>
Subject: [TLS] More flexible signature_algorithm selection for Delegated Credentials
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 03:55:06 -0000

tlswg,

At IETF 106, we discussed adding the ability to advertise specific
signature algorithms for use in DCs without requiring clients to have to
support these signature algorithms in leaf certificates.

Here's a PR to address this issue:
https://github.com/tlswg/tls-subcerts/pull/46

Comments welcome!
Nick