Re: [TLS] First TLS cached information draft posted

To: Stefan Santesson <stefan at aaa-sec.com>
Subject: Re: [TLS] First TLS cached information draft posted
From: Simon Josefsson <simon at josefsson.org>
Date: Tue, 09 Jun 2009 08:37:14 +0200
Cc: TLS wg <TLS at ietf.org>
Delivered-to: tls at core3.amsl.com
In-reply-to: <C64F1CB6.278D%stefan at aaa-sec.com> (Stefan Santesson's message of "Fri, 05 Jun 2009 19:04:22 +0200")
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <87vdnavowa.fsf at mocca.josefsson.org> <C64F1CB6.278D%stefan at aaa-sec.com>
User-agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.0.94 (gnu/linux)

Stefan Santesson <stefan at aaa-sec.com> writes:

> Simon,
>
> The specification allows you to specify and use any hash algorithm that is
> supported by the TLS hash algorithm registry.
>
> SHA-1 is the only MUST support algorithm, and I think that is correct.

That's fine.

In practice, I guess client implementations are likely to send:

CachedInformation =
  {
    { certificate_chain { sha1, "..." } },
    { certificate_chain { sha2-512, "..." } },
    ...
  }

How should a server behave if it receives a HashAlgorithm it doesn't
support, for a CachedInformationType it does support?

I suggest unsupported hashes should be ignored by servers.  I think some
guidance in the document is needed to make sure algorithm agility will
work.

In other words, after:

   Hash algorithm identifiers are provided by the RFC 5246 [RFC5246]
   HashAlgorithm registry. Compliant implementations MUST support
   sha1(2) as HashAlgorithm.

add this sentence:

   Servers MUST ignore unsupported hash algorithm identifiers.

This leads to the possibly surprising behaviour that if a sha1 value is
not sent by the client, and the server only supports sha1, the extension
will not be negotiated.  But that is right, isn't it?

/Simon

> /Stefan
>
>
> On 09-06-05 2:36 PM, "Simon Josefsson" <simon at josefsson.org> wrote:
>
>> A minor discussion would be whether adding support for SHA-256/384/512
>> is worthwhile, but I don't feel strongly either way.

References:
- Re: [TLS] First TLS cached information draft posted
  - From: Simon Josefsson
- Re: [TLS] First TLS cached information draft posted
  - From: Stefan Santesson

Prev by Date: Re: [TLS] FWD: First TLS cached information draft posted
Next by Date: Re: [TLS] First TLS cached information draft posted
Previous by thread: Re: [TLS] First TLS cached information draft posted
Next by thread: Re: [TLS] First TLS cached information draft posted
Index(es):
- Date
- Thread

Re: [TLS] First TLS cached information draft posted

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.