IETF Logo Mail Archive

RE: [TLS] TLS 1.2 and hash agility for signatures

<Pasi.Eronen@nokia.com> Tue, 20 March 2007 12:55 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HTds5-0008Rl-HL; Tue, 20 Mar 2007 08:55:25 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HTds4-0008Rg-TN for tls@ietf.org; Tue, 20 Mar 2007 08:55:24 -0400
Received: from smtp.nokia.com ([131.228.20.171] helo=mgw-ext12.nokia.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HTds2-0004E6-8O for tls@ietf.org; Tue, 20 Mar 2007 08:55:24 -0400
Received: from esebh108.NOE.Nokia.com (esebh108.ntc.nokia.com [172.21.143.145]) by mgw-ext12.nokia.com (Switch-3.2.5/Switch-3.2.5) with ESMTP id l2KCt7ZH012764; Tue, 20 Mar 2007 14:55:16 +0200
Received: from esebh104.NOE.Nokia.com ([172.21.143.34]) by esebh108.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 20 Mar 2007 14:55:13 +0200
Received: from esebe105.NOE.Nokia.com ([172.21.143.53]) by esebh104.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 20 Mar 2007 14:55:13 +0200
x-mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [TLS] TLS 1.2 and hash agility for signatures
Date: Tue, 20 Mar 2007 14:55:11 +0200
Message-ID: <B356D8F434D20B40A8CEDAEC305A1F2403E9253E@esebe105.NOE.Nokia.com>
In-Reply-To: <20070320122737.GA19513@tau.invalid>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] TLS 1.2 and hash agility for signatures
Thread-Index: Acdq6ysITzJdrFayTZecO/JvZ8+isgAAOblQ
References: <B356D8F434D20B40A8CEDAEC305A1F2403D821E1@esebe105.NOE.Nokia.com> <20070306143001.GA19204@tau.invalid> <B356D8F434D20B40A8CEDAEC305A1F2403E566B1@esebe105.NOE.Nokia.com> <20070320122737.GA19513@tau.invalid>
From: Pasi.Eronen@nokia.com
To: bmoeller@acm.org
X-OriginalArrivalTime: 20 Mar 2007 12:55:13.0235 (UTC) FILETIME=[FFF4EA30:01C76AEE]
X-eXpurgate-Category: 1/0
X-eXpurgate-ID: 149371::070320145516-2FA7FBB0-651C6158/0-0/0-1
X-Nokia-AV: Clean
X-Spam-Score: 0.2 (/)
X-Scan-Signature: f4c2cf0bccc868e4cc88dace71fb3f44
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

Bodo Moeller wrote:

> I guess it's best to include a ClientCertificateType field into the
> client's Certificate message (not the CertificateVerify message since
> some methods don't use it):

Hmmm... why do we need ClientCertificateType in the Certificate 
message, if we also add the algorithm identifier to Signature type 
(also for RSA)?

<snip>
> You are right that including an algorithm identifier field into the
> Signature type make sense.  I'd prefer to keep this optional since
> it's not always needed, since for example the "rsa" case of Signature
> really means RSA PKCS#1 v1.5, which does not need the algorithm
> identifier.  

In today's meeting somebody pointed out that we probably want the
identifier for RSA PKCS# v1.5 as well, since some crypto libraries
export an API that matches the "signature verification operation"
described in RFC 3447 Section 8.2.2. And there you actually need to
know which hash algorithm was used before you start verifying the
signature...

> Any other use of RSA signatures, such as PSS, would require new 
> ciphersuites and new "ClientCertificateType" values (sort
> of a misnomer, since distinct client authentication methods don't
> necessarily imply distinct X.509 certificates ...), or possibly other
> (extension-based) ways of negotiating the use of PSS or whatever.  

I agree, PSS server certificates would be best handled by new cipher
suites, and PSS client certificates with new client certificate types.

<snip>
> > If we use the AlgorithmIdentifier structure in the Signature,
> > would that also work for the cert_hash_types extension? (Which,
> > as you point, could be really called "signature_hash_types" 
> > since it also covers signatures outside certs.)
> 
> You mean, to indicate hash algorithms in this case (not signature
> algorithms)?  I'd prefer using a brief list of identifiers defined in
> the TLS specification (which is exactly what HashType is now), to be
> interpreted as a hint and not as a complete description of what the
> party in question can handle.
>
> (In some cases, depending on the software design, we might have
> implementations that can handle certain hash functions for some
> signature algorithms but not for others.  We can't put all such
> details into a HashType list.  Possibly we could cope with this by
> using a list of *signature* AlgorithmIdentifiers, but such a list
> easily could become very huge, and still wouldn't solve all problems
> related to signature and certificate verification.  

I was thinking about signature algorithm identifiers; but I do agree
that the list could easily get quite long. 

Best regards,
Pasi

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email