Re: [TLS] TLS 1.2 hash agility

To: Pasi.Eronen at nokia.com
Subject: Re: [TLS] TLS 1.2 hash agility
From: Mike <mike-list at pobox.com>
Date: Thu, 27 Sep 2007 07:38:10 -0700
Cc: tls at ietf.org
In-reply-to: <B356D8F434D20B40A8CEDAEC305A1F2404A1F1D7@esebe105.NOE.Nokia.com>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <46ABB82D.8090709@pobox.com> <46ACCCCB.8000201@pobox.com><B356D8F434D20B40A8CEDAEC305A1F24046B2496@esebe105.NOE.Nokia.com><20070914215611.0342933C21@delta.rtfm.com><46EB102E.2070900@pobox.com><20070914225606.9E9B433C21@delta.rtfm.com><46EC2AE7.9040903@pobox.com><20070917185820.6E7CC33C3A@delta.rtfm.com><46FA745A.3070305@pobox.com><20070926152907.8A60B33C23@delta.rtfm.com><46FA91E8.5020303@pobox.com> <46FB4397.6040203@pobox.com> <B356D8F434D20B40A8CEDAEC305A1F2404A1F1D7@esebe105.NOE.Nokia.com>
User-agent: Thunderbird 2.0.0.6 (Windows/20070728)

The only thing I could come up with is that putting the list of
signature algorithms in the CertificateRequest is a change to the
format of that message, so it requires version-specific processing,
whereas if you use the server extension, the format of Certificate
Request is the same as previous TLS versions.


CertificateRequest will require version-specific processing anyway,
because its semantics will change. For example, in TLS 1.0/1.1
ClientCertificateType "rsa_sign" meant a certificate containing
an RSA key, and signed with RSA. In TLS 1.2, it will probably
mean just a cert containing an RSA key; the signature algorithm
part will be specified separately.


Ok, this is valid.  However, I have too much code that looks like:

   if (version == ssl3)
      do_this;
   else if (version <= tls11)
      do_that;
   else
      do_the_other;

Which is a maintenance nightmare.  In some places I used separate
functions for different TLS versions, all of which are very similar,
so that is not ideal either.  The less of this we need, the better.

(Another difference is that in TLS 1.0/1.1, clients that didn't have certificates often just ignored CertificateRequest; current draft of TLS 1.2 mandates sending an empty Certificate message instead.)


Yes, but you can change your code to always send an empty Certificate
even for the earlier versions.

Mike

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

References:
- [TLS] TLS 1.2
  - From: Mike
- [TLS] TLS 1.2 hash agility
  - From: Mike
- RE: [TLS] TLS 1.2 hash agility
  - From: Pasi.Eronen
- Re: [TLS] TLS 1.2 hash agility
  - From: Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility
  - From: Mike
- Re: [TLS] TLS 1.2 hash agility
  - From: Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility
  - From: Mike
- Re: [TLS] TLS 1.2 hash agility
  - From: Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility
  - From: Mike
- Re: [TLS] TLS 1.2 hash agility
  - From: Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility
  - From: Mike
- Re: [TLS] TLS 1.2 hash agility
  - From: Mike
- RE: [TLS] TLS 1.2 hash agility
  - From: Pasi.Eronen

Prev by Date: Re: [TLS] TLS 1.2 hash agility
Next by Date: Re: [TLS] TLS 1.2 hash agility
Previous by thread: RE: [TLS] TLS 1.2 hash agility
Next by thread: RE: [TLS] TLS 1.2 hash agility
Index(es):
- Date
- Thread

Re: [TLS] TLS 1.2 hash agility

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.