Re: [TLS] Last Call: draft-ietf-tls-rfc4346-bis (The Transport
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Last Call: draft-ietf-tls-rfc4346-bis (The Transport

I think you have a point here -- while I agree that using SHA-224 to construct a MAC isn't very useful here, we probably should support SHA-224 in signatures (especially those contained in certificates, where TLS can't really negotiate what the CA uses).
 
Best regards,
Pasi

From: tls-bounces at ietf.org [mailto:tls-bounces at ietf.org] On Behalf Of ext Rob Dugal
Sent: 05 March, 2008 13:54
To: tls at ietf.org
Subject: Re: [TLS] Last Call: draft-ietf-tls-rfc4346-bis (The Transport


You raise good points but by not having SHA-224 as a supported hash algorithm you effectively prevent anyone from using any certificates which use SHA-224 in TLS 1.2.
If the certificate doesn't use a hash algorithm found in the signature_algorithms extension then it cannot be used in TLS 1.2.


-----------------------------------------------
Robert Dugal
Member of Development Group
Certicom Corp.
EMAIL: rdugal at certicom.com
PHONE: (905) 501-3848
FAX  : (905) 507-4230
WEBSITE: www.certicom.com

tls-bounces at ietf.org wrote on 03/04/2008 03:56:44 PM:

> At Tue, 4 Mar 2008 21:45:20 +0100 (MET),
> Martin Rex wrote:
> >
> > Eric Rescorla wrote:
> > >
> > > At Tue, 4 Mar 2008 09:58:29 -0800,
> > > Paul Hoffman wrote:
> > > >
> > > > At 6:19 AM -0500 3/4/08, Rob Dugal wrote:
> > > > >section 7.4.1.4.1
> > > > >
> > > > >Why is SHA-224 not supported as a HashAlgorithm? For completeness
> > > > >shouldn't TLS 1.2 support all the SHA-2 algorithms?
> > > >
> > > > Not everyone agrees with the utility of SHA-224, particularly in a
> > > > protocol where AES-128 is mandatory to implement.
> > >
> > > Indeed.
> > >
> > > If you want a MAC with effective algorithmic security the same as
> > > SHA-256 but shorter, that's what truncated MACs are for.
> >
> > SHA-224 is effectively that:
> >
> >    SHA-224 is based on SHA-256, but it uses an different
> >    initial value and the result is truncated to 224 bits.
>
> Yes, that's my point.
>
> Shaving 4 bytes off of the packet size when the MAC is 32
> bits is of extremely marginal value. If what you want is
> a MAC that has the same algorithmic security as SHA-256
> but you're worried about packet size, use SHA-256 truncated
> to 80 bits with the truncated_mac extension.
>
> -Ekr
>
> _______________________________________________
> TLS mailing list
> TLS at ietf.org
> https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.