[TLS] Client Request and ecdsa_sign
"Mehner, Carl" <Carl.Mehner@usaa.com> Sat, 14 March 2015 05:43 UTC
Return-Path: <prvs=0515aadaac=carl.mehner@usaa.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C5661AC3F8 for <tls@ietfa.amsl.com>; Fri, 13 Mar 2015 22:43:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.112
X-Spam-Level:
X-Spam-Status: No, score=-5.112 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bVhBWQkcCHOo for <tls@ietfa.amsl.com>; Fri, 13 Mar 2015 22:43:15 -0700 (PDT)
Received: from prodomx02.usaa.com (prodomx02.usaa.com [167.24.25.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BD451AC3F7 for <tls@ietf.org>; Fri, 13 Mar 2015 22:43:14 -0700 (PDT)
Received: from pps.filterd (prodomx02.usaa.com [127.0.0.1]) by prodomx02.usaa.com (8.14.7/8.14.7) with SMTP id t2E5hDaf020137 for <tls@ietf.org>; Sat, 14 Mar 2015 00:43:13 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=usaa.com; h=from : to : subject : date : message-id : content-type : content-transfer-encoding : mime-version; s=201408; bh=pxkH0A0QOnH+lbj9p9ux4rrO6GaWukd8ZNb5VCLIvVk=; b=S75FCPRW86M62H2wt2k5rI266PbVLMrdBjSKBZbdtgHmVL0pXADcVIIQk5lq/fWxPjKB hF+uB5JWbiESgzq6qb6OxMWK93zbZv43jAR5ppVBjNT2A5Zivc8pIWK7ZPuYNZeaAw3V r7arHLlQ812BtbXK8iDGQIFkoPKPBC0F1ktjPy1lPPRxK1Np78EAkF2pJk/ck2dbNL/7 zO7eXBahDwaBsGha9gjo+0eicWbrAps4m3eVgeZOG+a5C+iug04+4FphALs36aniT9QU ljyhNLSgI3q7B2a+pAGJ1cQlDn38cme5KO+hwYRxdXB5jdV0pp99i8B9x4EHPux8QIHG FA==
Received: from prodexch04w.eagle.usaa.com (prodexch04w.eagle.usaa.com [10.170.40.30]) by prodomx02.usaa.com with ESMTP id 1t36ba5uj3-1 for <tls@ietf.org>; Sat, 14 Mar 2015 00:43:13 -0500
Received: from PRODEXMB01W.eagle.usaa.com ([169.254.1.159]) by PRODEXCH04W.eagle.usaa.com ([10.170.40.30]) with mapi id 14.03.0158.001; Sat, 14 Mar 2015 00:43:13 -0500
From: "Mehner, Carl" <Carl.Mehner@usaa.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: Client Request and ecdsa_sign
Thread-Index: AdBeFxZAgbOQWepsTpeFtVwI35PnEA==
Date: Sat, 14 Mar 2015 05:43:12 +0000
Message-ID: <19075EB00EA7FE49AFF87E5818D673D41145EEAA@PRODEXMB01W.eagle.usaa.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [104.191.4.19]
x-c2processedorg: b8bcc573-fb52-4e08-924e-ca559c360d81
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Direction: FromExch
X-Proofpoint-Direction: Internet
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.13.68, 1.0.33, 0.0.0000 definitions=2015-03-14_01:2015-03-13,2015-03-14,1970-01-01 signatures=0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/RsB3la_prLtEq7XPp4nd76pBz3k>
Subject: [TLS] Client Request and ecdsa_sign
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Mar 2015 05:43:17 -0000
I created a new issue on GitHub: https://github.com/tlswg/tls13-spec/issues/154 Right now it appears that ecdsa certificates are not allowed for use as client certificates. Should we explicitly state that they may be used in the Client Certificate section? this would add an element (ecdsa_sign(64)) to the ClientCertificateType enum to make it: enum { rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4), rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6), fortezza_dms_RESERVED(20), ecdsa_sign(64), (255) } ClientCertificateType; as well as a new line to the certificate_types: ecdsa_sign a certificate containing an ECDSA key I suppose we could add in the ecdsa_fixed_ecdh as well... but weren't we trying to go pure ephemeral? If so, should we take out the other *_fixed_dh identifiers? Already the paragraph that starts, "For historical reasons," says those have been obsoleted.
- [TLS] Client Request and ecdsa_sign Mehner, Carl
- Re: [TLS] Client Request and ecdsa_sign Eric Rescorla