Re: [TLS] TLS 1.2 and CertificateRequest message

To: tls at ietf.org
Subject: Re: [TLS] TLS 1.2 and CertificateRequest message
From: Michael D'Errico <mike-list at pobox.com>
Date: Thu, 22 Oct 2009 15:07:22 -0700
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=O+99f9kc8AM4 4JPoCEojKoT2144=; b=aIuNyTMlQ60D2nYy3d6opGngldHY2OotmnH8mkingzV4 Cqk+jDr8xD1zpNfV+q+ZBVt0UWSmLSwU2b5RavMNXYQ8YKhnWnWUI+JwgFMHm4nb G0yWATfyGC4JKBPEbusbXYNc9EnD2qSP+Q3buHdNHciEhzylyEGDKmWC1fQ9pNE=
Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=R60dbH rfyUt9jNSubG+ZbOEmyrdhslshu0GE9y6GJvykREBIljix+N0xgTu5KpAwIXQosl dY29Ngd9prl74HuuAJpXyWHpFg2dU481DgLmfQ8/gsS4qPAYliiPOwUbY/SO/is1 6h03UltqgKxc/5tfsmrukZ+JUQKKhOBFEiV5Q=
In-reply-to: <4AE0CD8F.6000508 at gnutls.org>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <4AE0CD8F.6000508 at gnutls.org>
User-agent: Thunderbird 2.0.0.23 (Macintosh/20090812)

I remember participating in the discussion that led to this design.  I
argued that since we added a signature algorithms extension to allow
negotiation of the client's preferred algorithms, it made the most
sense to make the extension symmetric so the server could notify the
client of its preferred algorithms in its hello message as well.

There was opposition to my argument, that the list of algorithms belongs
where it is needed, in the certificate request message.  The term
"locality of reference" was thrown around as a justification.  Not being
an official member of the working group, and since nobody else seemed to
prefer my idea, I forfeited the point.

To solidify this design choice the definition of the signature algorithms
extension states that the server MUST NOT send it.

My own implementation holds onto all the handshake messages and calculates
the hashes of them when needed.  If you'd like to test interoperability
with my server, https://www.mikestoolbox.net will ask you for a client
certificate.

Mike


Nikos Mavrogiannopoulos wrote:

Hello,
 I've been taking a look at TLS 1.2 and it seems that there is some new
negotiation added at the CertificateRequest message. At this message the
server is supposed to send a list of allowed algorithm for signature
calculation, and the client should respond with a signature that depends
on the previously exchanged handshake messages.

In previous versions of TLS a client could just start the hash
calculation for this signature during the exchange to avoid storing the
actual messages up to this point. However with this negotiation at this
point it is quite impossible to do that approach and as far as I
understand needs to follow the store approach.

My questions now are:
1. How is this implemented in compliant software today?

2. Why this negotiation was added? I see no added value of having such
negotiation at a so late point.

regards,
Nikos

Follow-Ups:
- Re: [TLS] TLS 1.2 and CertificateRequest message
  - From: Nikos Mavrogiannopoulos

References:
- [TLS] TLS 1.2 and CertificateRequest message
  - From: Nikos Mavrogiannopoulos

Prev by Date: [TLS] TLS 1.2 and CertificateRequest message
Next by Date: Re: [TLS] Working group last call for draft-ietf-tls-rfc4347-bis-03.txt
Previous by thread: [TLS] TLS 1.2 and CertificateRequest message
Next by thread: Re: [TLS] TLS 1.2 and CertificateRequest message
Index(es):
- Date
- Thread

Re: [TLS] TLS 1.2 and CertificateRequest message

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.