[TLS] Regarding multiple signature algorithms in TLS 1.3
Philip Lafrance <philip.lafrance92@gmail.com> Wed, 05 July 2017 15:20 UTC
Return-Path: <philip.lafrance92@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E939F13192B for <tls@ietfa.amsl.com>; Wed, 5 Jul 2017 08:20:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GIvY0zNKTDul for <tls@ietfa.amsl.com>; Wed, 5 Jul 2017 08:20:04 -0700 (PDT)
Received: from mail-it0-x22d.google.com (mail-it0-x22d.google.com [IPv6:2607:f8b0:4001:c0b::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3595513162F for <tls@ietf.org>; Wed, 5 Jul 2017 08:20:04 -0700 (PDT)
Received: by mail-it0-x22d.google.com with SMTP id m84so88095703ita.0 for <tls@ietf.org>; Wed, 05 Jul 2017 08:20:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=4YwpuLjLB2IMF0/4cbn2RV+CzluySwyMea0xiglrWgw=; b=nCOE7OKldyJP0juZwyRIR6Ngb2p2U/dalWmma96SvzxDS4IDJv023kHgDZ39Boy7ve IkD7Q1Za0OfhF+owa3p6vcoi0zqTChC1nkFJf1wMsNWeqs+8T+8dJiKBaLcjwcFANJj5 pZ5G7AMkVv7Y0pAE3SDgyeL1Psh6ETN3P5J4NcQNW6mOIMN53enq1/l/cZiJmK3dk/nm bh8X6JNtY3FpzSV023WUwHF6dGCpYCjXzMZgD/MKrMjTfK/3FMMTIZhpc6bQjcuE4s6f 5bTReu55+1PBRsgvifRQ18RyRKzl1uUx8VFT71cWizKyWTJhEkAVQwnSzXDPAZPNwiAG itVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=4YwpuLjLB2IMF0/4cbn2RV+CzluySwyMea0xiglrWgw=; b=dNGVC/i2LTfeCiu06nwGR60a8dg46IP7TfSCB578kjZwmZbvECPtxN22Q4Q+tl/7iI nlo3E6R3GgpNrp6ZD+HZ6QQeP4PCQgHMGqJF6fZ7U3shQ+IHF4bvQ2Fg2f6603uvcG5R Fyw8rIWHkAWltl/F5d0KzpxHfmCttTK3MOVimYX+2Wx48Rfak7QLUY8bFuMurxgJH59U RpvHzOSP//qzZ+0JhCrWNb4ZOoRIMeDClLwQzf/NgBeQbR8h27B/gadEe9SAbPpkS4TJ aOSL8cPQVdUGq5N+nV/oXLVUR8bTHtsBFUGYIjXBdX8cQkA5zm5dtxWyTVUkfm5BeTo/ FulA==
X-Gm-Message-State: AIVw113dtLRwKo867EIyk9U3+dsXAsSYVc+ISxjwpe97MlUQd7hG84UO GYi7w/qhIK/yo+tpfuVk2Ro70vKAzTit
X-Received: by 10.36.44.136 with SMTP id i130mr19284640iti.42.1499268002128; Wed, 05 Jul 2017 08:20:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.17.69 with HTTP; Wed, 5 Jul 2017 08:20:01 -0700 (PDT)
From: Philip Lafrance <philip.lafrance92@gmail.com>
Date: Wed, 05 Jul 2017 11:20:01 -0400
Message-ID: <CALwqbuyo1XKb++eb0ncQ=4abXiVjg+kREGoHUK9EJM0C94gLSQ@mail.gmail.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="001a113fa266b0b58105539388dd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/3td5AOzJh-_DWtRbR5jBRb7q4UA>
Subject: [TLS] Regarding multiple signature algorithms in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jul 2017 15:20:06 -0000
Hello all, I am not certain whether the issue of multiple signature algorithms has previously come up in the TLS 1.3 discussion and was wondering if this is something we need to consider. As many of you know, updating roots of trust to support quantum-resistant algorithms in various devices may be a fairly urgent issue. Fortunately, we can use hash-based algorithms for that soon. Hash-base algorithms can even be used in end-entity certificates for code signing. Now, I am wondering if we will ever have a situation where we will need to support certificate chains in TLS where CA certificates use hash-based algorithms and end-entity certificates use some new stateless signature algorithm. If that is the case, we will need to support multiple digital signatures in one certificate chain. Does TLS 1.3 currently permit negotiating multiple signature algorithms? Admittedly I don’t quite have the current draft memorized, but a cursory reading of v21 seems to suggest that it does not allow for multiple algorithms; simply that the client sends an ordered list of preferred algorithms and the server selects one of them. If not, then does anyone think it is worthwhile to add this functionality to TLS 1.3? Thanks in advance, Philip Lafrance
- [TLS] Regarding multiple signature algorithms in … Philip Lafrance
- Re: [TLS] Regarding multiple signature algorithms… Eric Rescorla
- Re: [TLS] Regarding multiple signature algorithms… Ilari Liusvaara