Re: [TLS] Summary of discussion regarding spontaneuous authentication

[Ilari Liusvaara <ilari.liusvaara@elisanet.fi>]

On Wed, Oct 22, 2014 at 07:29:21AM -0700, Martin Thomson wrote:
> On 22 October 2014 06:26, Ilari Liusvaara <ilari.liusvaara@elisanet.fi> wrote:
> > Don't confuse certificate_types with {client,server}_certificate_type{,s}.
> 
> The claim was that this is either known, period, or can be pushed to
> the application layer.  Fact is, what we have is this:
> 
> Clients have one or zero certificates for a given server and will use
> that regardless of what appears in the CertificateRequest.

That's an argument for pushing certificate_types to application layer,
but not IMO valid argument for supported_signature_algorithms.
 
> I tend to think that we need a more general mechanism for indicating
> support for certificate types and signature algorithms.  Maybe we
> could unconditionally include those in the early handshake instead.

Yeah, agreed. The supported_signature_algorithms could very well
be pushed to ServerHello (or EncryptedExtensions!).

Also, the current supported_signature_algorithms is not quite expressive
enough for ECC. The problem is, there are implementations like:

- ECDSA/SHA-256 is ok when using 256-bit curve.
- ECDSA/SHA-384 is ok when using 384-bit curve.
- Try to use ECDSA/SHA-256 with 384-bit curve or ECDSA/SHA-384 with 256-
  bit curve and things just blow up.

Such implementation would signal ECDSA/SHA-256 and ECDSA/SHA-384 in
supported_signature_algorithms, but that is not the whole story.


-Ilari