[TLS] Signature Algorithms Extension Clarification

Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 22 September 2016 09:33 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFF4612B874 for <tls@ietfa.amsl.com>; Thu, 22 Sep 2016 02:33:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.917
X-Spam-Level:
X-Spam-Status: No, score=-4.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-2.316, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XXryyfIsAb5i for <tls@ietfa.amsl.com>; Thu, 22 Sep 2016 02:33:17 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1910312B18B for <tls@ietf.org>; Thu, 22 Sep 2016 02:33:16 -0700 (PDT)
Received: from [192.168.91.133] ([80.92.115.152]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0MJSLz-1boODh0N6x-0034JY for <tls@ietf.org>; Thu, 22 Sep 2016 11:33:14 +0200
To: "<tls@ietf.org>" <tls@ietf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Message-ID: <6ba65f5d-0136-86dc-2166-2f09126570a9@gmx.net>
Date: Thu, 22 Sep 2016 11:33:13 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:tnHHdIBaSofsVoKXm//lAxlphQgHgUpKBnZrs8lHkK2ykKpihrc gLkBJ3UgG71zESQFQduifxLXJvA4AYM9xVlIB8c268AG85f+oHVxkyW6KaiCec6LvdPkV3J rHNNfADnvnvZqp8RXhklAjLibMXW0D1dY+8I1GmcVyU1tACwOMtmDs3IG4IbBGjMYJkJBn4 SPyR4Lh0MmKQlMd0Dy60w==
X-UI-Out-Filterresults: notjunk:1;V01:K0:etu6eoc71nU=:53Av0Oay8Rn9btnltWFR15 +rY2DisVsXE2mk3R2uvc1IC451SnGJfGHkF4U4U0WR88OUvlcu/I3WoaV+Uj0i+if8IAJlWIe CbXAnpsyv9NNOnINsxx1rLy0n0cge2AzxWhcBCBYA05lbQtjkgOFJLdGSM9khhFuXgUpYQLZo HKMPIgz/Xo90tZjrKEqre6Ay3aEH57OTexjedjhcm29ZGe1KvlHKyqzTB2wM18eO8gj+h2Yqi wz7V/UvZ2PhSa07r+wJue46kBvJXbcMlnsH3IhSIowFtE8Ex6yao4EDipyWrFmwxFZl6xXd/g b5FqKWNfz9EdruIj8sZKXNoM5hgzK1SnpGEJst4CcRAV2MbuvClH5ooKYWg6EJaItn7C4lotr iCbyUyzMGNz5F9QUaVAPzbPLGDNKj3k6L6UiLetBhK7nQ6JqNPdVuodWc3CsXrbfWIN4+PZVu 6ESY+smej7FEQlND4a8Bt3OkkIdXIxHiYL/2ZquPGv34b5b1V7LMLUmeQ6dtN278gxRA0Dp9D Is/t1llLyJNCCbfbK31Ec4SCXbqDY/LaiqZLOlS66IvGDa8K4d5Hnjo6z1nn9Z4P9PPPuJGBS U5jKkYJrJvYprCUy1XBd9xGsHF/Ru3byyU4pSyUPaqb9wUpClEXLtua52dw/DNqez2gwtAVXG YcRHo6GtDaCIXOq4OV59msgBGeh4xgnpKMFTSzTq6aLN+Possd6jSuJtuV5f+mW2cV+KmxjHL 1dj9kJfwxGvLN9ZspkqkWZFcPXhP2l3u3oRhBBMVih2HPyNcqAstPh2FFeIzzvbEVZj5eTCCF iQu0g8i
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2AoiiRSdZf4o_P4r-cVaJ-fy6Bk>
Subject: [TLS] Signature Algorithms Extension Clarification
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Sep 2016 09:33:19 -0000

Hi all,

I need a clarification regarding the use of the signature algorithms.

Reading Section 4.2.3. "Signature Algorithms" I got the impression that 
there is a new extension being defined called 
'supported_signature_algorithms', which replaces the previous 
'signature_algorithm' extension.

The difference between the 'signature_algorithm' extension in RFC 5246 
and the newly defined 'supported_signature_algorithms' extension is that 
the new extension only contains the digital signature algorithm and not 
the hash function anymore.

If that's indeed the intention I would prefer if the text uses the 
'supported_signature_algorithms' rather than 'signature_algorithms'.
(as it is done in Section 4.4.2. "Certificate Verify"). Unfortunately 
the term 'signature_algorithms' is used in many other places in the 
document itself, including the IANA consideration section that makes a 
reference to RFC 5246.

Is it correct that the 'supported_signature_algorithms' extension 
replaces the 'signature_algorithm' extension from RFC 5246?

Ciao
Hannes