RE: [TLS] Signature Hash Agility

[<Pasi.Eronen at nokia.com>]

Eric Rescorla wrote:
> > I'd prefer a more uniform approach:
> > 
> >     struct {
> >         opaque signature_algorithm<0..2^16-1>;
> >         opaque signature_value<0..2^16-1>;
> >     } Signature;
> > 
> > where signature_algorithm is DER-encoded AlgorithmIdentifier
> > structure, and signature_value is the actual signature value 
> > (and for anonymous, both are just zero-length strings).
> > 
> > This would work even in the case of ANSI X9.62 encoded ECDSA 
> > public keys, where SPKI can list more than one acceptable hash 
> > algorithm. (If they're all secure, substitution may not be 
> > a problem; IMHO this is a CA policy issue, and we shouldn't
> > hardcode this in TLS.)
> 
> I'm OK with a uniform type, but I think a HashType is what's
> appropriate here. OIDs don't seem like the TLS way...

I agree that OIDs are not really the TLS way... but 
AlgorithmIdentifier would also work for signature schemes (such 
as RSA PSS and randomized hashing) where the hash isn't the only 
parameter needed to verify the signature.

(And actual implementations for e.g. RSASSA-PKCS1-v1_5 wouldn't
really need any ASN.1/DER code, just hardcoded octet string.)

Best regards,
Pasi

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls