Re: [TLS] Client Request and ecdsa_sign
Eric Rescorla <ekr@rtfm.com> Sat, 14 March 2015 14:35 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8BE61A038E for <tls@ietfa.amsl.com>; Sat, 14 Mar 2015 07:35:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q71VdP3yyhX7 for <tls@ietfa.amsl.com>; Sat, 14 Mar 2015 07:35:54 -0700 (PDT)
Received: from mail-wg0-f53.google.com (mail-wg0-f53.google.com [74.125.82.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8D6D1A0262 for <tls@ietf.org>; Sat, 14 Mar 2015 07:35:53 -0700 (PDT)
Received: by wggv3 with SMTP id v3so8423281wgg.1 for <tls@ietf.org>; Sat, 14 Mar 2015 07:35:52 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=PpsNeeblcvdKABJbEK+q5m3TerbT3DL7r4426xQ7kn8=; b=Z3BAm/a3nCdrBgSiLyokPzq2CxM8d1JppuogSjF8fPENyyix5V9L2g1xJxPEyN0VvK 9EZFMVE/O1nDN1aArzZhl9igCoqNRwtwisFtiqge/p9csQhMi4XWwvrS+RT8aIchw9Ma 68crKzB/eJFDNdqVNxImls7Ge5eswEOvAtnLrnAmeo/+22y4fvNXCoJpYPnmjrNBIwPF dL/iLAY4b0XxG8LFGYGq93b4lZGPOJdwdOpWJisBUVnKx1X13LtwqsfeMpAkMMio+0/4 hqVK5tyzvmuXEtIGMaSagFOzyHJFtjp/fshZ3PSYmaFxsxevgdNfU1JKHuMU3jh4tMSk cXLA==
X-Gm-Message-State: ALoCoQnvOa6EJiJE/bhVj6JGILCso5iP5WLzV4eB7voCeyTiJEXZhddMR3sy5LpH1r9+LAJ1Wm2e
X-Received: by 10.194.190.10 with SMTP id gm10mr106970958wjc.91.1426343752440; Sat, 14 Mar 2015 07:35:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.205.198 with HTTP; Sat, 14 Mar 2015 07:35:12 -0700 (PDT)
In-Reply-To: <19075EB00EA7FE49AFF87E5818D673D41145EEAA@PRODEXMB01W.eagle.usaa.com>
References: <19075EB00EA7FE49AFF87E5818D673D41145EEAA@PRODEXMB01W.eagle.usaa.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 14 Mar 2015 07:35:12 -0700
Message-ID: <CABcZeBOHKfrFptjQs2_dqv2Wvra0S+LkYcUgvkskkVROQpoV0w@mail.gmail.com>
To: "Mehner, Carl" <Carl.Mehner@usaa.com>
Content-Type: multipart/alternative; boundary="047d7bea39f4b1359005114088a5"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Ul-vIqPQVgKZUDT9yjHEafsrWjQ>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Client Request and ecdsa_sign
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Mar 2015 14:35:55 -0000
I believe we are going to remove this entire field and its associated code points because it is redundant with the signature algorithms. -Ekr On Fri, Mar 13, 2015 at 10:43 PM, Mehner, Carl <Carl.Mehner@usaa.com> wrote: > I created a new issue on GitHub: > https://github.com/tlswg/tls13-spec/issues/154 > > > Right now it appears that ecdsa certificates are not allowed for use as > client certificates. Should we explicitly state that they may be used in > the Client Certificate section? > > > this would add an element (ecdsa_sign(64)) to the ClientCertificateType > enum to make it: > > enum { > rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4), > rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6), > fortezza_dms_RESERVED(20), ecdsa_sign(64), (255) > } ClientCertificateType; > > > > as well as a new line to the certificate_types: > > ecdsa_sign a certificate containing an ECDSA key > > > I suppose we could add in the ecdsa_fixed_ecdh as well... but weren't we > trying to go pure ephemeral? > > If so, should we take out the other *_fixed_dh identifiers? Already the > paragraph that starts, "For historical reasons," says those have been > obsoleted. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Client Request and ecdsa_sign Mehner, Carl
- Re: [TLS] Client Request and ecdsa_sign Eric Rescorla