Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis
Martin Thomson <martin.thomson@gmail.com> Mon, 01 December 2014 07:17 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C97F1A1ADF for <tls@ietfa.amsl.com>; Sun, 30 Nov 2014 23:17:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gib9eID-WyIA for <tls@ietfa.amsl.com>; Sun, 30 Nov 2014 23:17:22 -0800 (PST)
Received: from mail-ob0-x235.google.com (mail-ob0-x235.google.com [IPv6:2607:f8b0:4003:c01::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12F3E1A1ADB for <tls@ietf.org>; Sun, 30 Nov 2014 23:17:22 -0800 (PST)
Received: by mail-ob0-f181.google.com with SMTP id gq1so7241974obb.26 for <tls@ietf.org>; Sun, 30 Nov 2014 23:17:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=IRLfYcsGVxYeJtaNq668UKE6o3AIjmnk99A0CMSXRGc=; b=jZJi0RE8apDGv8JQxrWQiiez/HAVSGL5GlD6ejMwSyz6Sb4ej7QMl/35mmSh6c8SGV z39UiE45V0m8ShBDmt4pZBe4NGbABbLkTIUGIabx3m92SjMr7HpKpDE4dHFumkKWo5gr FHkCyPh5zfkXHundOyCnvMdFjyV3r/zTez3EUQWULPEn8s7IVwpz+t5qXqDacAGT0Vfz VWoE2rNU21j4SYV735NjurUFRPJoRtzaLUYLIC8svUjPCEFO1gXxChybB8sH0bQAQTLk jmcvUNbVl3pU0aZRHppLlgYOQhLjVzox66rHswnifoLR7JUlpZkKykAbHhO6wFokc+c1 4EnQ==
MIME-Version: 1.0
X-Received: by 10.202.225.197 with SMTP id y188mr6866804oig.94.1417418241274; Sun, 30 Nov 2014 23:17:21 -0800 (PST)
Received: by 10.202.115.4 with HTTP; Sun, 30 Nov 2014 23:17:21 -0800 (PST)
In-Reply-To: <9FE323BF-2650-4EA3-9CBB-B46CF3A00298@pahtak.org>
References: <9A043F3CF02CD34C8E74AC1594475C739B9F7A14@uxcn10-tdc05.UoA.auckland.ac.nz> <9FE323BF-2650-4EA3-9CBB-B46CF3A00298@pahtak.org>
Date: Sun, 30 Nov 2014 23:17:21 -0800
Message-ID: <CABkgnnV4JUoS3jV_vp4KV_xX-wdXa4ART7gtMd7BUZMapELRLw@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Stephen Checkoway <s@pahtak.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/HTeQASiA4eoW6xNkXD7rQEaI4c8
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Dec 2014 07:17:23 -0000
On 30 November 2014 at 13:52, Stephen Checkoway <s@pahtak.org> wrote: > How is the signature algorithm any different from the cipher suite in this respect? If the client says it can only do ECDSA, what's the point of giving it an RSA cert that it cannot use? I think that the difference is that - at least for most clients - they support both. Or at least, servers have been able to deploy ECDSA certs that chain to RSA with the expectation that RSA hasn't gone away yet. And that's relatively new. Peter refers to the fact that servers (and CAs) have picked a certificate that works based on what they know of clients, and had just the one. That single cert is offered unconditionally. If the client doesn't like it, then it can be responsible for choking on it. CAs could have offered a range of certificates with varying strength and signature algorithms, but one is always easier in every regard. Migrating away from mostly RSA might have changed that a little.
- [TLS] WG adoption: draft-nir-tls-rfc4492bis Sean Turner
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Nikos Mavrogiannopoulos
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Yoav Nir
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Sean Turner
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Sean Turner
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Yoav Nir
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Stephen Checkoway
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Martin Rex
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Yoav Nir
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Stephen Checkoway
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Martin Rex
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Stephen Checkoway
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Martin Thomson
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Stephen Checkoway
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Martin Thomson
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Peter Gutmann
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Stephen Checkoway
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Martin Thomson
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Ryan Sleevi
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Ilari Liusvaara
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Sean Turner
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Stephen Checkoway
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Sean Turner
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Peter Gutmann
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Jeffrey Walton
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Peter Gutmann
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Martin Rex