Re: [TLS] TLS 1.2 hash agility

Eric Rescorla <ekr@networkresonance.com> Fri, 14 September 2007 21:59 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IWJCW-00077w-Th; Fri, 14 Sep 2007 17:59:48 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IWJCU-00077T-Sm for tls@ietf.org; Fri, 14 Sep 2007 17:59:46 -0400
Received: from [209.213.211.195] (helo=delta.rtfm.com) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IWJCU-0006sx-GH for tls@ietf.org; Fri, 14 Sep 2007 17:59:46 -0400
Received: from delta.rtfm.com (localhost.rtfm.com [127.0.0.1]) by delta.rtfm.com (Postfix) with ESMTP id 0342933C21; Fri, 14 Sep 2007 14:56:10 -0700 (PDT)
Date: Fri, 14 Sep 2007 14:56:10 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Pasi.Eronen@nokia.com
Subject: Re: [TLS] TLS 1.2 hash agility
In-Reply-To: <B356D8F434D20B40A8CEDAEC305A1F24046B2496@esebe105.NOE.Nokia.com>
References: <46ABB82D.8090709@pobox.com> <46ACCCCB.8000201@pobox.com> <B356D8F434D20B40A8CEDAEC305A1F24046B2496@esebe105.NOE.Nokia.com>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20070914215611.0342933C21@delta.rtfm.com>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: c1c65599517f9ac32519d043c37c5336
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

At Thu, 9 Aug 2007 12:34:07 +0300,
<Pasi.Eronen@nokia.com> wrote:
> 
> Mike (mike-list@pobox.com) wrote:
> 
> > I think the solution we need is to specifically list each supported
> > signature algorithm, e.g.
> > 
> >      enum {
> >        rsa_with_md5(0),    rsa_with_sha1(1),
> >        rsa_with_sha256(2), rsa_with_sha384(3),
> >        rsa_with_sha512(4), dsa_with_sha1(5),
> >        (65535)
> >      };
> > 
> > These may not be specific enough, as I've seen suggestions for,
> > e.g. rsa_pkcs1v1_5_with_sha1, and I've heard that some algorithms
> > need parameters, but I think I've made my point.
> 
> I think your suggestion looks good; it seems to handle the DSA and
> ECDSA cases better than just a list of hashes, and it's more
> in TLS style than sending DER-encoded AlgorithmIdentifiers. 
> And then we could change Signature structure to
> 
>    struct {
>       SignatureAlgorithm signature_algorithm;
>       opaque signature_value<0..2^16-1>;
>    } Signature;  
> 
> Eric, what's your opinion?

OK, I started trying to wire this into TLS and it's messy.
There are three contexts we have to think about:

- Certs (from either side)
- CertificateVerify
- ServerKeyExchange

The difficulty is that the latter two already have signals indicating
what acceptable signature algorithms are, in the ClientCertificateType,
and the ciphersuite respectively. So, we either need to significantly
reconstruct those or have duplication of information, with the 
result that you have to potentially deal with mismatched information,
e.g., only offering RSA in the SKE, but offering RSA and DSA in the
new value.

-Ekr

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls