Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis

Peter Gutmann <> Thu, 04 December 2014 07:42 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 3F6BC1A88CB for <>; Wed, 3 Dec 2014 23:42:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LT4koOd5NgFj for <>; Wed, 3 Dec 2014 23:42:19 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0C72F1A0074 for <>; Wed, 3 Dec 2014 23:42:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=uoa; t=1417678939; x=1449214939; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=7qJ/m2nH2nkBj5Hfbb17h4U7KjWxfSfqd4mxl3Xri64=; b=Vh2gSKTm8MehgzNUH4NM+s9Fev8TeKqCeIF62DHmUdGKkpifgkSbtEKF 93nbH8RHxByhNpuFhZpv4GkcUyvsI5dKy+BPjceb+sDOlAR19dFg7hXU7 7V9UbxR8Re3kNvPt5IzW/l56fNC9mKYy9zkKBDXcnYbD8PPVH/DleMbKa A=;
X-IronPort-AV: E=Sophos;i="5.04,630,1406548800"; d="scan'208";a="294835745"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES256-SHA; 04 Dec 2014 20:42:15 +1300
Received: from ([]) by ([]) with mapi id 14.03.0174.001; Thu, 4 Dec 2014 20:42:14 +1300
From: Peter Gutmann <>
To: "<>" <>
Thread-Topic: [TLS] WG adoption: draft-nir-tls-rfc4492bis
Thread-Index: AdAPldG0njcyRjMCRke2jv01iiBgXg==
Date: Thu, 04 Dec 2014 07:42:13 +0000
Message-ID: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 04 Dec 2014 07:42:23 -0000

Jeffrey Walton <> yes:

>Wouldn't that put certificate parameters (like signing algorithms) under the
>purview of PKIX WG?

Yes.  That's the problem with this requirement (which others have already
pointed out), it's a layering violation.  The TLS stack should not be
dictating terms to the PKI implementation or the CA.

That's not to say that PKIX doesn't do the same thing.  Their CMP spec
requires that the cert-transport layer pull apart the certificates that are
being communicated, extract the signature algorithm from the cert, and
authenticate the messaging using the algorithm used to sign the cert. 

Both are a me-centric worldview, for TLS it's "the PKI does what the transport
tells it to", for PKIX it's "the transport does what the PKI tells it to".  If
RFC 1958 gets updated at some point they should add "Redde Caesari quae sunt
Caesaris" as a design principle.