Re: [TLS] Should TLS 1.3 servers send "signature_algorithms" extensions

Eric Rescorla <ekr@rtfm.com> Mon, 19 September 2016 23:13 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8352C12B007 for <tls@ietfa.amsl.com>; Mon, 19 Sep 2016 16:13:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lKvRNtLzRjKx for <tls@ietfa.amsl.com>; Mon, 19 Sep 2016 16:13:26 -0700 (PDT)
Received: from mail-yw0-x22c.google.com (mail-yw0-x22c.google.com [IPv6:2607:f8b0:4002:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BFEB12B010 for <tls@ietf.org>; Mon, 19 Sep 2016 16:13:24 -0700 (PDT)
Received: by mail-yw0-x22c.google.com with SMTP id t67so133662ywg.3 for <tls@ietf.org>; Mon, 19 Sep 2016 16:13:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=AqaX7gj7Cx5pxoPhmu9ZDeQY1jmJXRd/Cv9rsSTYnGY=; b=CWrKEfkLz0Aa3EjOt1KzWg4fvzqdnnwRd1drjTMLEvQ2HOnLt1XQawKRQxXCB3hCo5 ZGKFZbgA1fK29Kp8VFgYSNYnekJXVPR80p49EvK3uto+uO8efI8BHOJRLZdI9+nVJgmA 1vwTjpw0r0SVGVQAOFGJDzjO1+TXtiztCJ6kGCdxOrmnfCGk9BvD3xBcmJnStbjJZDLh BVA33CDhdq18VotqJXBx07KQkwQGNgL6jcbYCbepXJuVQMDsXy9d5r3bGiXKFK43ploP 7Yhl2eQH/nWMXR8myqnFmz37IW1Y/mCtlY/1at6dD6rpfBlGCgFueDYWbE6De1AEW4Yk sXgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=AqaX7gj7Cx5pxoPhmu9ZDeQY1jmJXRd/Cv9rsSTYnGY=; b=VhXSunTW7AJ43RdQ8ZX1GZhOd0LC37zMMXSrRyb2vf8lptNb7M04hSZ0ZACoNbaskk 4ukpxVNhqIgAU3ryCtpLV4gGYsbC4EfrIiwCxw3acb5l1RDulNU45Vc2O3KAT4iKe+/u xeuWOHTlUzdypdS+A7c37pOmblT9vQNCyOP7iBBdgOPj0r5fJrc8AlZ2eiTkcu4DY3Xd LHuBk4taDtUSeGDPIDJJcql4r46ddek5lLer3jWbvXe8SgP4jt1yk0w5/kEbcyHDUO5D lfNRQU68XPiIHLpYmpINI3+Ni1UbEYBTUOLHROtTs257Arytk9Lqxa0Uq3xb/JyDHEuB hx9Q==
X-Gm-Message-State: AE9vXwPc3lYphHnNFe0Efk8usQeBa2yKWyy8ZzirI1KwnC/VApyeMvOIO19LpQHbxFUF4hojYh4k9fyEvbQDfg==
X-Received: by 10.129.53.88 with SMTP id c85mr28016468ywa.205.1474326803734; Mon, 19 Sep 2016 16:13:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.160.10 with HTTP; Mon, 19 Sep 2016 16:12:43 -0700 (PDT)
In-Reply-To: <CY1PR15MB0778D9D3AE6022E4F268B534FFF40@CY1PR15MB0778.namprd15.prod.outlook.com>
References: <CY1PR15MB0778D9D3AE6022E4F268B534FFF40@CY1PR15MB0778.namprd15.prod.outlook.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 19 Sep 2016 16:12:43 -0700
Message-ID: <CABcZeBM4XHjfHmAULEje1_t1rsk_77jdOxotMdOq=v1r+9Vvmw@mail.gmail.com>
To: Xiaoyin Liu <xiaoyin.l@outlook.com>
Content-Type: multipart/alternative; boundary="001a1142153c6b94d8053ce4750c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/VXNT1uiHcMdSTW5unkB9sM0eyXA>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Should TLS 1.3 servers send "signature_algorithms" extensions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Sep 2016 23:13:33 -0000

On Mon, Sep 19, 2016 at 3:56 PM, Xiaoyin Liu <xiaoyin.l@outlook.com> wrote:

> Hello,
>
>
>
> There seems to be a conflict in the TLS 1.3 spec on whether servers should
> send “signature_algorithms” extension or not. In section 4.2.2 Signature
> Algorithms <https://tlswg.github.io/tls13-spec/#signature-algorithms>, it
> says:
>
> Servers which are authenticating via a certificate MUST indicate so by
> sending the client an empty “signature_algorithms” extension.
>
>
>
> But in section 8.2 MTI Extensions
> <https://tlswg.github.io/tls13-spec/#mti-extensions>, it says:
>
> Servers MUST NOT send the “signature_algorithms” extension
>
>
>
> So should a server send am empty “signature_algorithms” extension or not
> in ServerHello?
>

Section 8.2 is a bug in the spec. Servers need to send sig_algs if they are
signing.

David Benjamin has suggested an alternative encoding which I may put in a
future draft, but for -15, you need to send it.

-Ekr


>
> Thank you!
>
> Xiaoyin
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>