[TLS] Re: Certificate Hash Types extension

To: Mike <mike-list at pobox.com>
Subject: [TLS] Re: Certificate Hash Types extension
From: Simon Josefsson <simon at josefsson.org>
Date: Mon, 05 Feb 2007 22:18:02 +0100
Cc: "tls at ietf.org" <tls at ietf.org>
In-reply-to: <45C769D9.3000004@pobox.com> (Mike's message of "Mon\, 05 Feb 2007 09\:31\:05 -0800")
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <45C769D9.3000004@pobox.com>
User-agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.93 (gnu/linux)

Mike <mike-list at pobox.com> writes:

> Now I'm adding support for it in my server and I have a
> question about it:  should the client order the list of
> supported hash algorithms in its order of preference?
> I would think this is a good idea, instead of leaving it
> up to the server to decide.
...
> In TLS 1.2, a CertificateRequest message has a list
> of HashTypes specifying the acceptable hashes used
> in certificate signatures.  There is no guidance
> on the ordering of these values.  I would suggest
> that the server should specify them in the order
> that it prefers.  The client would scan the list
> in order, and return a certificate using the first
> matching hash algorithm.

I had the same reaction to both of these issues.  I agree that it
would be more useful if the lists are in preference order.

Generally, is there a reason the certificate hash type mechanism isn't
defined in a symmetrical way?  I mean, by using a new extension for
both directions.

/Simon

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

References:
- [TLS] Certificate Hash Types extension
  - From: Mike

Prev by Date: [TLS] CertificateRequest in TLS 1.2
Next by Date: [TLS] Test server with TLS 1.2, OpenPGP, SRP, PSK, X.509 and more
Previous by thread: [TLS] Certificate Hash Types extension
Next by thread: [TLS] CertificateRequest in TLS 1.2
Index(es):
- Date
- Thread

[TLS] Re: Certificate Hash Types extension

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.