RE: [TLS] Will CAs decide server signing algorithms in TLS 1.2?

[<Pasi.Eronen at nokia.com>]

Hi Simon,

This issue was discussed in Prague, and I think the conclusion
was that the current text needs to be changed. In other words:
if the client tells it supports RSA+SHA256, the server can
use it even if the CA used RSA+SHA1 to sign the server cert
(unless the certificate has an extension or something 
explicitly prohibits it -- there's some work in PKIX that
may be relevant).

Best regards,
Pasi

> -----Original Message-----
> From: ext Simon Josefsson [mailto:simon at josefsson.org] 
> Sent: 25 April, 2007 14:58
> To: tls at ietf.org
> Subject: [TLS] Will CAs decide server signing algorithms in TLS 1.2?
> 
> The Signature structure has changed, and the current text in section
> 7.4.3 says:
> 
>    If the SignatureAlgorithm being used to sign the ServerKeyExchange
>    message is DSA, the hash function used MUST be SHA-1. If the
>    SignatureAlgorithm it must be the same hash function used in the
>                      ^^^^^^^^^^^^^^^^
>    signature of the server's certificate (found in the Certificate)
>    message. This algorithm is denoted Hash below. Hash.length is the
>    length of the output of that algorithm.
> 
> I can't parse the second sentence here.  What is the intention here?
> 
> I'm assuming that the intention is to say that the SignatureAlgorithm
> must be the same as the signing algorithm in the server certificate.
>
> It seems weird that the CA who signs the server certificate will
> implicitly decide which signature algorithm is used inside TLS 
> between all servers and clients.
<snip>

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls