Re: [TLS] draft-rescorla-tls-suiteb-06.txt

To: rdugal at certicom.com (Rob Dugal)
Subject: Re: [TLS] draft-rescorla-tls-suiteb-06.txt
From: Martin Rex <Martin.Rex at sap.com>
Date: Tue, 23 Sep 2008 22:25:53 +0200 (MEST)
Cc: tls at ietf.org
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <C49217E2D694874EB820EA90DCE6761901183A864D at EX40.exchserver.com> from "Rob Dugal" at Sep 23, 8 03:01:10 pm
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Reply-to: martin.rex at sap.com
Sender: tls-bounces at ietf.org

Rob Dugal wrote:
> 
> From section 4:
>    Server and client certificates used to establish a Suite B-compliant
>    connection MUST be signed with ECDSA.  For certificates used at the
>    128-bit security level, the subject public key MUST use the P-256
>    curve, and the digital signature MUST be calculated using the P-256
>    curve and the SHA-256 hash algorithm.  For certificates used at the
>    192-bit security level, the subject public key MUST use the P-384
>    curve, and the digital signature MUST be calculated using the P-384
>    curve and the SHA-384 hash algorithm.
> 
> 
> Does this only apply to the client/server certificates or every
> certificate in the client/server chain?

Intuitively I would expect an exact match requirement for the
end-entity cert and a "at least" requirement for the CA hierarchy
up to and including the TA or rootCA cert.

The description should probably be expanded and the requirements for
the CAs / path certs explicitly described to clarify the situation.


-Martin
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

References:
- [TLS] draft-rescorla-tls-suiteb-06.txt
  - From: Rob Dugal

Prev by Date: Re: [TLS] Consensus call for certificate URL extension
Next by Date: [TLS] I-D Action:draft-ietf-tls-psk-new-mac-aes-gcm-02.txt
Previous by thread: [TLS] draft-rescorla-tls-suiteb-06.txt
Next by thread: [TLS] I-D Action:draft-ietf-tls-psk-new-mac-aes-gcm-02.txt
Index(es):
- Date
- Thread

Re: [TLS] draft-rescorla-tls-suiteb-06.txt

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.