Re: [TLS] TLS 1.2 hash agility
Eric Rescorla <ekr@networkresonance.com> Fri, 14 September 2007 22:59 UTC
Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IWK8W-00023F-V8; Fri, 14 Sep 2007 18:59:44 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IWK8U-00022e-TJ for tls@ietf.org; Fri, 14 Sep 2007 18:59:42 -0400
Received: from [209.213.211.195] (helo=delta.rtfm.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IWK8T-0006nW-NL for tls@ietf.org; Fri, 14 Sep 2007 18:59:42 -0400
Received: from delta.rtfm.com (localhost.rtfm.com [127.0.0.1]) by delta.rtfm.com (Postfix) with ESMTP id 9E9B433C21; Fri, 14 Sep 2007 15:56:06 -0700 (PDT)
Date: Fri, 14 Sep 2007 15:56:05 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Mike <mike-list@pobox.com>
Subject: Re: [TLS] TLS 1.2 hash agility
In-Reply-To: <46EB102E.2070900@pobox.com>
References: <46ABB82D.8090709@pobox.com> <46ACCCCB.8000201@pobox.com> <B356D8F434D20B40A8CEDAEC305A1F24046B2496@esebe105.NOE.Nokia.com> <20070914215611.0342933C21@delta.rtfm.com> <46EB102E.2070900@pobox.com>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20070914225606.9E9B433C21@delta.rtfm.com>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 4d87d2aa806f79fed918a62e834505ca
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
At Fri, 14 Sep 2007 15:50:22 -0700, Mike wrote: > > >>> I think the solution we need is to specifically list each supported > >>> signature algorithm, e.g. > >>> > >>> enum { > >>> rsa_with_md5(0), rsa_with_sha1(1), > >>> rsa_with_sha256(2), rsa_with_sha384(3), > >>> rsa_with_sha512(4), dsa_with_sha1(5), > >>> (65535) > >>> }; > >> > >> And then we could change Signature structure to > >> > >> struct { > >> SignatureAlgorithm signature_algorithm; > >> opaque signature_value<0..2^16-1>; > >> } Signature; > >> > >> Eric, what's your opinion? > > > > OK, I started trying to wire this into TLS and it's messy. > > There are three contexts we have to think about: > > > > - Certs (from either side) > > - CertificateVerify > > - ServerKeyExchange > > > > The difficulty is that the latter two already have signals indicating > > what acceptable signature algorithms are, in the ClientCertificateType, > > and the ciphersuite respectively. So, we either need to significantly > > reconstruct those or have duplication of information, with the > > result that you have to potentially deal with mismatched information, > > e.g., only offering RSA in the SKE, but offering RSA and DSA in the > > new value. > > I think this information is disjoint. For example, you can have a DSA > key in a certificate that is signed by RSA/SHA-1. Yes, that's why I separated certificates from the other two situations. Currently (in TLS 1.1) there are basically no restrictions on what algorithms are used to sign the certs. The ciphersuite and the ClientCertificateType indicate only the public key algorithm and not the hash algorithm. So, we need to extend all three cases, to indicate the hash algorithms that are supported. -Ekr _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] TLS 1.2 Eric Rescorla
- Re: [TLS] TLS 1.2 Steven M. Bellovin
- Re: [TLS] TLS 1.2 Peter Gutmann
- Re: [TLS] TLS 1.2 Steven M. Bellovin
- Re: [TLS] TLS 1.2 Bodo Moeller
- [TLS] TLS 1.2 Mike
- [TLS] TLS 1.2 Mike
- [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 Mike
- [TLS] TLS 1.2 MAC calculation Mike
- Antwort: [TLS] TLS 1.2 MAC calculation Axel.Heider
- Re: Antwort: [TLS] TLS 1.2 MAC calculation Bodo Moeller
- Re: [TLS] TLS 1.2 interoperating Mike
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Mike
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- RE: [TLS] TLS 1.2 hash agility Russ Housley
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen