Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client
Matt DeMoss <demoss.matt@gmail.com> Thu, 10 March 2011 21:58 UTC
Return-Path: <demoss.matt@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 229D53A6ABC for <tls@core3.amsl.com>; Thu, 10 Mar 2011 13:58:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.959
X-Spam-Level:
X-Spam-Status: No, score=-2.959 tagged_above=-999 required=5 tests=[AWL=0.640, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R3H9wxmWFDx9 for <tls@core3.amsl.com>; Thu, 10 Mar 2011 13:58:06 -0800 (PST)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id 093373A6A79 for <tls@ietf.org>; Thu, 10 Mar 2011 13:58:05 -0800 (PST)
Received: by fxm15 with SMTP id 15so475852fxm.31 for <tls@ietf.org>; Thu, 10 Mar 2011 13:59:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=vYyUoo9rSblt47x4g6qVfQOIKvgMLthlf1VxVmtRnds=; b=W6N0hmuOhBsj8s1XVhTBHl0rZpxtzfnVmftKujm/BmhgqKSBIHYASWRfzften+2Loj Q+xmSnfgjMhEaKFdY5hbmbpXnx9c3NiH71J2elRGaNYtm2R0ZIN7bXjLPZxMwPLPKSgp NBKQi3zDWrbhXsVIivW0ipKc4Z10Irm1V6B3c=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=TmM3JMFJch90yKhWfEEPxumsIRiq/F4TBy2WV3VtFQTI2D0ZR1AL18Oq0d6s7lBeBs 4Yp86U7SrAeVVtt1oJqj2wwCK2X56Ji+RS987yJjR11Lrn4eyUSvl6ol23LJsZ602fun rTZqOTgoTHp8Ei8OsPhw3lAdb+i9LXkidavwI=
MIME-Version: 1.0
Received: by 10.223.30.66 with SMTP id t2mr784350fac.16.1299794363576; Thu, 10 Mar 2011 13:59:23 -0800 (PST)
Received: by 10.223.127.9 with HTTP; Thu, 10 Mar 2011 13:59:23 -0800 (PST)
In-Reply-To: <201103042341.p24NfVKj018910@fs4113.wdf.sap.corp>
References: <m2r5amh76n.fsf@localhost.localdomain> <201103042341.p24NfVKj018910@fs4113.wdf.sap.corp>
Date: Thu, 10 Mar 2011 16:59:23 -0500
Message-ID: <AANLkTinMav4990gG9NCT3PbMrCGQCYtLGrZNb=EzB+Z7@mail.gmail.com>
From: Matt DeMoss <demoss.matt@gmail.com>
To: mrex@sap.com
Content-Type: text/plain; charset="ISO-8859-1"
Cc: tls@ietf.org
Subject: Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2011 21:58:07 -0000
On Fri, Mar 4, 2011 at 6:41 PM, Martin Rex <mrex@sap.com> wrote: > > The TLS spec should not mess around with PKI and X.509 issues. > Negotiation of the algorithm used for the "digitally signed" struct > ought to be _completely_ seperate from characteristics of certificates. > > A TLS extension to convey hints about digital signature algorithms > ought to be a fairly black box to TLS, containing a list of > ASN.1 AlgIds, and with the semantic of a "hint to the PKI software > for selecting the most appropriate certificates", i.e. "MAY" not "MUST". > This is interesting to me; as a kind of thought experiment do you think it would ever be appropriate for TLS to negotiate hash algorithms on CRLs or on OCSP responses? It seems unlikely that multiple CRLs will be generated with different hashes and that is only slightly less true for X.509 certs. Does it make more sense for TLS to instead negotiate the version of X.509 (or PKIX profile, or other credential) in use and hope some future version will provide functionality for a smoother transition? I read RFC 5280 to say there can only be one signature per certificate, but it isn't hard to imagine having doubly signed certificates in the future.
- [TLS] TLSv1.2 with DSA client cert and key size >… Martin Rex
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Wan-Teh Chang
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Martin Rex
- [TLS] TLS v1.2 performance (was Re: TLSv1.2 with … Michael D'Errico
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Nikos Mavrogiannopoulos
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Dr Stephen Henson
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Martin Rex
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Dr Stephen Henson
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Martin Rex
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Kemp, David P.
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Wan-Teh Chang
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Yoav Nir
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Eric Rescorla
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Eric Rescorla
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Eric Rescorla
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Juho Vähä-Herttua
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Marsh Ray
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Juho Vähä-Herttua
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Juho Vähä-Herttua
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Kyle Hamilton
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Matt DeMoss
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Geoffrey Keating
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Geoffrey Keating
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Matt DeMoss
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Geoffrey Keating
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Sean Turner
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Martin Rex