IETF Logo Mail Archive

Re: [TLS] TLS 1.2 hash agility

Mike <mike-list@pobox.com> Thu, 27 September 2007 14:20 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IauE6-0006q1-Ts; Thu, 27 Sep 2007 10:20:26 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IauE5-0005nz-Ku for tls@ietf.org; Thu, 27 Sep 2007 10:20:25 -0400
Received: from sceptre.pobox.com ([207.106.133.20]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IauDv-0007ky-GN for tls@ietf.org; Thu, 27 Sep 2007 10:20:21 -0400
Received: from sceptre (localhost.localdomain [127.0.0.1]) by sceptre.pobox.com (Postfix) with ESMTP id E957A2F0; Thu, 27 Sep 2007 10:19:39 -0400 (EDT)
Received: from [192.168.1.8] (wsip-24-234-114-35.lv.lv.cox.net [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by sceptre.sasl.smtp.pobox.com (Postfix) with ESMTP id 933DA817C2; Thu, 27 Sep 2007 10:19:38 -0400 (EDT)
Message-ID: <46FBBBBE.7000108@pobox.com>
Date: Thu, 27 Sep 2007 07:18:38 -0700
From: Mike <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Eric Rescorla <ekr@networkresonance.com>
Subject: Re: [TLS] TLS 1.2 hash agility
References: <46ABB82D.8090709@pobox.com> <46ACCCCB.8000201@pobox.com> <B356D8F434D20B40A8CEDAEC305A1F24046B2496@esebe105.NOE.Nokia.com> <20070914215611.0342933C21@delta.rtfm.com> <46EB102E.2070900@pobox.com> <20070914225606.9E9B433C21@delta.rtfm.com> <46EC2AE7.9040903@pobox.com> <20070917185820.6E7CC33C3A@delta.rtfm.com> <46FA745A.3070305@pobox.com> <20070926152907.8A60B33C23@delta.rtfm.com> <46FA91E8.5020303@pobox.com> <46FB4397.6040203@pobox.com>
In-Reply-To: <46FB4397.6040203@pobox.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b30eb7682a596edff707698f4a80f7d
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

> I spent [a lot of time] trying to come up with other valid
> reasons for using the extension to advertise the server's
> capabilities, versus putting them in the CertificateRequest.  The
> only thing I could come up with is that putting the list of
> signature algorithms in the CertificateRequest is a change to the
> format of that message, so it requires version-specific processing,
> whereas if you use the server extension, the format of Certificate
> Request is the same as previous TLS versions.

I came up with a few more ideas, unfortunately at the expense of
not being able to sleep:

   - The extension mechanism was added to TLS to enable the
     addition of functionality without needing to constantly
     change handshake message formats; so I would argue that
     any functionality that -can- be added using an extension
     -should- use an extension instead of modifying messages.
     (Yes, Signature had to change so messages will be
     different, but limiting the damage is a worthy goal.)

   - There is a potential performance benefit on the client
     side: if the client requires better algorithms than the
     defaults and the server either doesn't reply with the
     extension, or if the list doesn't contain an acceptable
     algorithm, then the client can abort the connection
     immediately after parsing the ServerHello message.  It
     can avoid the need to parse the Certificate message to
     determine how it was signed.

The only counter argument I could find is that the server's list
of acceptable algorithms might be different in different places.
Even if so, the client can benefit from knowing the server's
certificate signature algorithms up front, so having the server
respond with the extension is useful.  Then I would suggest
that signature_algorithms in CertificateRequest could be empty,
which would mean, "use the same list given in the server's
signature algorithms extension."

Mike

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.35.0 | Report a Bug | By Email | System Status