IETF Logo Mail Archive

RE: [TLS] TLS 1.2 hash agility

Russ Housley <housley@vigilsec.com> Thu, 27 September 2007 23:56 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ib3DT-00082h-8C; Thu, 27 Sep 2007 19:56:23 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ib3DS-00082I-7x for tls@ietf.org; Thu, 27 Sep 2007 19:56:22 -0400
Received: from woodstock.binhost.com ([8.8.40.152]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1Ib3DL-000614-Ht for tls@ietf.org; Thu, 27 Sep 2007 19:56:22 -0400
Received: (qmail 16322 invoked by uid 0); 27 Sep 2007 23:55:51 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (96.231.48.203) by woodstock.binhost.com with SMTP; 27 Sep 2007 23:55:51 -0000
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Thu, 27 Sep 2007 12:26:01 -0400
To: Pasi.Eronen@nokia.com
From: Russ Housley <housley@vigilsec.com>
Subject: RE: [TLS] TLS 1.2 hash agility
In-Reply-To: <B356D8F434D20B40A8CEDAEC305A1F2404A1F1D7@esebe105.NOE.Noki a.com>
References: <46ABB82D.8090709@pobox.com> <46ACCCCB.8000201@pobox.com> <B356D8F434D20B40A8CEDAEC305A1F24046B2496@esebe105.NOE.Nokia.com> <20070914215611.0342933C21@delta.rtfm.com> <46EB102E.2070900@pobox.com> <20070914225606.9E9B433C21@delta.rtfm.com> <46EC2AE7.9040903@pobox.com> <20070917185820.6E7CC33C3A@delta.rtfm.com> <46FA745A.3070305@pobox.com> <20070926152907.8A60B33C23@delta.rtfm.com> <46FA91E8.5020303@pobox.com> <46FB4397.6040203@pobox.com> <B356D8F434D20B40A8CEDAEC305A1F2404A1F1D7@esebe105.NOE.Nokia.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 1.9 (+)
X-Scan-Signature: 39bd8f8cbb76cae18b7e23f7cf6b2b9f
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Message-Id: <E1Ib3DT-00082h-8C@megatron.ietf.org>

For backward compatibility, wouldn't it be cleaner to add a new 
rsa_xxx type to indicate the different semantics.  The new type would 
not be supported by non-TLS v1.2 implementations, nut the handling of 
rsa_sign wouid be the same in all cases.

Russ


  At 05:41 AM 9/27/2007, Pasi.Eronen@nokia.com wrote:
>mike-list@pobox.com wrote:
>
> > The only thing I could come up with is that putting the list of
> > signature algorithms in the CertificateRequest is a change to the
> > format of that message, so it requires version-specific processing,
> > whereas if you use the server extension, the format of Certificate
> > Request is the same as previous TLS versions.
>
>CertificateRequest will require version-specific processing anyway,
>because its semantics will change. For example, in TLS 1.0/1.1
>ClientCertificateType "rsa_sign" meant a certificate containing
>an RSA key, and signed with RSA. In TLS 1.2, it will probably
>mean just a cert containing an RSA key; the signature algorithm
>part will be specified separately.
>
>(Another difference is that in TLS 1.0/1.1, clients that didn't
>have certificates often just ignored CertificateRequest;
>current draft of TLS 1.2 mandates sending an empty Certificate
>message instead.)
>
>Best regards,
>Pasi
>
>_______________________________________________
>TLS mailing list
>TLS@lists.ietf.org
>https://www1.ietf.org/mailman/listinfo/tls


_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.37.1 | Report a Bug | By Email | System Status