Re: [TLS] Server Signature Algorithms

To: mickgray at au1.ibm.com (Michael Gray)
Subject: Re: [TLS] Server Signature Algorithms
From: Martin Rex <Martin.Rex at sap.com>
Date: Mon, 2 Nov 2009 17:56:36 +0100 (MET)
Cc: tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <OFCFFB440A.DEB1CEA7-ON4A257661.007208C6-4A257661.007271E8 at au1.ibm.com> from "Michael Gray" at Nov 2, 9 06:50:02 am
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Reply-to: mrex at sap.com

Michael Gray wrote:
> 
> 
> "Michael D'Errico" <mike-list at pobox.com> wrote:
> 
> > There are now at least 3 instances where a TLS client needs to know the
> > server's list of supported signature algorithms:
> >
> >     1. to compute the signature for the CertificateVerify message
> >     2. to compute the hash of the handshake messages in (1) without
> >        having to hold onto all of the messages
> >     3. to compute hashes for the proposed cached information extension
> >
> > Rather than duplicate the list for each of these and any future needs,
> > it makes sense to send it once in a server hello extension.
> >
> > The simplest option would be to use the existing signature algorithms
> > extension and make it symmetrical.  But if there is a deployed client
> > out there that aborts a connection if it receives a signature algorithm
> > extension, then a secondary option would be to create a new server-
> > signature-algorithms extension which is identical in structure to the
> > existing extension.
> >
> > I would add that when the server sends its list of algorithms in the
> > extension, then it MUST NOT send a different list in the certificate
> > request message; in fact it SHOULD send an empty list.  TLS 1.3 can
> > decide whether to eliminate the list from CertificateRequest.
> 
> Currently our toolkit when operating as a client will abort the handshake
> on this condition due to RFC 5246 in 7.4.1.4.1 saying: â??Servers
> MUST NOT send this extensionâ??.

That isn't strict, that is anal.

It would safe to entirely ignore an extension that should not be present,
and this is what the general rule _implies_:

   "Be liberal in what you accept, be conservative in what you send out."


-Martin

References:
- Re: [TLS] Server Signature Algorithms
  - From: Michael Gray

Prev by Date: Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:
Next by Date: Re: [TLS] Server Signature Algorithms
Previous by thread: Re: [TLS] Server Signature Algorithms
Index(es):
- Date
- Thread

Re: [TLS] Server Signature Algorithms

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.