[TLS] order of evaluation when multiple client hello extensions are specified

To: "tls at ietf.org" <tls at ietf.org>
Subject: [TLS] order of evaluation when multiple client hello extensions are specified
From: Rob Dugal <rdugal at certicom.com>
Date: Fri, 21 Nov 2008 11:11:33 -0500
Accept-language: en-US
Acceptlanguage: en-US
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Sender: tls-bounces at ietf.org
Thread-index: AclL89KdJn717MxXS1OkUYEHQu3BdA==
Thread-topic: order of evaluation when multiple client hello extensions are specified

How should a TLS server determine what is the best matching negotiation paramaters when a client sends several client hello extensions?
Suppose the client sends signature_algorithms, ec_pt_formats, and elliptic_curves extensions, containing multiple supported algorithms/formats/curves.
Which of these extensions should the server give the highest preference to?

For example, suppose client sends these:
elliptic_curves extension { secp384r1, secp256r1 } 
ec_pt_formats extension { ansiX962_compressed_prime, uncompressed } 
signature_algorithms extension { ecdsa/sha256, ecdsa/sha384, ecdsa/sha1 }


Without draft-rescorla-tls-suiteb being enforced, would secp384r1/sha384/uncompressed be considered a better match 
than secp256r1/sha256/ansiX962_compressed_prime?
 
Would the search order be this?
secp384r1/sha256/ansiX962_compressed_prime
secp384r1/sha384/ansiX962_compressed_prime
secp384r1/sha1/ansiX962_compressed_prime
secp384r1/sha256/uncompressed
secp384r1/sha384/uncompressed
secp384r1/sha1/uncompressed
secp256r1/sha256/ansiX962_compressed_prime
secp256r1/sha384/ansiX962_compressed_prime
secp256r1/sha1/ansiX962_compressed_prime
secp256r1/sha256/uncompressed
secp256r1/sha384/uncompressed
secp256r1/sha1/uncompressed


or maybe this?
secp384r1/sha256/ansiX962_compressed_prime
secp256r1/sha256/ansiX962_compressed_prime
secp384r1/sha256/uncompressed
secp256r1/sha256/uncompressed
secp384r1/sha384/ansiX962_compressed_prime
secp256r1/sha384/ansiX962_compressed_prime
secp384r1/sha384/uncompressed
secp256r1/sha384/uncompressed
secp384r1/sha1/ansiX962_compressed_prime
secp256r1/sha1/ansiX962_compressed_prime
secp384r1/sha1/uncompressed
secp256r1/sha1/uncompressed

-----------------------------------------------
Robert Dugal
Member of Development Group
Certicom Corp.
EMAIL: rdugal at certicom.com
PHONE: (905) 501-3848
FAX  : (905) 507-4230
WEBSITE: www.certicom.com


_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Prev by Date: Re: [TLS] Name suggestions for tls-extractor
Next by Date: Re: [TLS] Name suggestions for tls-extractor
Previous by thread: [TLS] Name suggestions for tls-extractor
Next by thread: [TLS] draft-rescorla-tls-suiteb-11.txt
Index(es):
- Date
- Thread

[TLS] order of evaluation when multiple client hello extensions are specified

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.