RE: [TLS] Updated TLS 1.2 I-D

Eric Rescorla wrote:

> > The "Hash" algorithm used in RSA signatures is the same hash
> > algorithm used in the signature of the certificate.  Although this
> > is a simple way to choose the "Hash" algorithm, the chosen hash
> > algorithm really reflects the capability of the CA that issued the
> > certificate as opposed to the capability of the certificate's
> > subject (the server or the client). For example, the CA may sign a
> > server certificate that contains an RSA public key using DSA, and
> > "Hash" would be SHA-1 because the signature of the certificate is
> > a DSA signature.
> 
> Yes. This is a hueristic, but it's the one we have. Since it seems
> like a generally safe assumption that you can verify your own
> cert, I don't think there's a problem here.

I agree with Anyang's concerns to some degree; an explicit negotiation
would be better than a heuristic. But since the draft already has
cert_hash_types extension, couldn't we use it to also specify what
algorithms are supported for the "Signature" construct?

(BTW, it would be useful if the server could also indicate to the
client which hash functions it supports, e.g. for client
authentication).

<snip>

> > Any interest in adding SHA-384 to the enumerated HashType defined
> > in 7.4.1.4.7? The current definition of HashType seems to imply that
> > CAs don't plan to sign certificates with SHA-384 in the signatures.
> 
> I don't personally hear much interest in that. How do other
> WG members feel?

Including SHA-384 would make the list match PKCS#1 (except for MD2,
but I guess that's obsolete)... so maybe it would like nicer?

Best regards,
Pasi

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls