Re: [TLS] Server Signature Algorithms

To: tls at ietf.org
Subject: Re: [TLS] Server Signature Algorithms
From: Michael D'Errico <mike-list at pobox.com>
Date: Thu, 29 Oct 2009 20:17:17 -0700
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=GchSUd/ozNMc QS+e+34hLSt+aIE=; b=K+bwia+y7k7at7ttNJxTXAxcY6QDil2uRGfXiSs+Jmzz 8xUltk61BgeeHVeLVOemcGES0NJhINQOAUVN+UwWpRKom8NRWX5pn/975chZwfmf wHxcOaRs2/fuGulJJQ5tHcczD+kmZn8mvzq/PAZKTgT4Tc2sqJek7c06lX2MdZk=
Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=pHJBN+ hTDzlHUMyDqtj/vn1+ozZ7POHyUD7GrEp9MQqlO9Pk/tWOjnqj12lE6atazKG6cW x+BJo0xQnXeOm6ThLDxb+eIkwNbLZ19kRYiJJy7ZPoXHWfirTfLfS5+6CnwSN69m X2OWNcP4Jtm6RfLk1rlO7rXhK2JaPjYLQcnr4=
In-reply-to: <4AE9F0DE.7060903 at pobox.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <4AE9F0DE.7060903 at pobox.com>
User-agent: Thunderbird 2.0.0.23 (Macintosh/20090812)

If the existing signature algorithms extension is made symmetric, then
the server still will need to put the same list of algorithms in the
certificate request since it will not know whether the client knows
about the change.

Mike


I wrote:

There are now at least 3 instances where a TLS client needs to know the
server's list of supported signature algorithms:

   1. to compute the signature for the CertificateVerify message
   2. to compute the hash of the handshake messages in (1) without
      having to hold onto all of the messages
   3. to compute hashes for the proposed cached information extension

Rather than duplicate the list for each of these and any future needs,
it makes sense to send it once in a server hello extension.

The simplest option would be to use the existing signature algorithms
extension and make it symmetrical.  But if there is a deployed client
out there that aborts a connection if it receives a signature algorithm
extension, then a secondary option would be to create a new server-
signature-algorithms extension which is identical in structure to the
existing extension.

I would add that when the server sends its list of algorithms in the
extension, then it MUST NOT send a different list in the certificate
request message; in fact it SHOULD send an empty list.  TLS 1.3 can
decide whether to eliminate the list from CertificateRequest.

Mike

References:
- [TLS] Server Signature Algorithms
  - From: Michael D'Errico

Prev by Date: Re: [TLS] Questions about TLS Server Name Indication extension
Next by Date: Re: [TLS] Questions about TLS Server Name Indication extension
Previous by thread: [TLS] Server Signature Algorithms
Next by thread: Re: [TLS] Server Signature Algorithms
Index(es):
- Date
- Thread

Re: [TLS] Server Signature Algorithms

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.