[TLS] Re: Certificate Hash Types extension
Simon Josefsson <simon@josefsson.org> Mon, 05 February 2007 21:18 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HEBEY-0005PJ-OX; Mon, 05 Feb 2007 16:18:42 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HEBEX-0005PD-Oa for tls@ietf.org; Mon, 05 Feb 2007 16:18:41 -0500
Received: from 178.230.13.217.in-addr.dgcsystems.net ([217.13.230.178] helo=yxa.extundo.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HEBET-0003Oi-RM for tls@ietf.org; Mon, 05 Feb 2007 16:18:41 -0500
Received: from localhost.localdomain (yxa.extundo.com [217.13.230.178]) (authenticated bits=0) by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id l15LI3tK020881 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 5 Feb 2007 22:18:05 +0100
From: Simon Josefsson <simon@josefsson.org>
To: Mike <mike-list@pobox.com>
References: <45C769D9.3000004@pobox.com>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:070205:mike-list@pobox.com::hY6tX3tUpQeq/Ohn:Uyf
X-Hashcash: 1:22:070205:tls@ietf.org::a8k+KkBiAxjC6pN/:2PdG
Date: Mon, 05 Feb 2007 22:18:02 +0100
In-Reply-To: <45C769D9.3000004@pobox.com> (Mike's message of "Mon\, 05 Feb 2007 09\:31\:05 -0800")
Message-ID: <87y7ncfgmt.fsf@latte.josefsson.org>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.93 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Status: No, score=-1.8 required=4.0 tests=AWL,BAYES_00, FORGED_RCVD_HELO autolearn=ham version=3.1.1
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on yxa-iv
X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on yxa.extundo.com
X-Virus-Status: Clean
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 9182cfff02fae4f1b6e9349e01d62f32
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: [TLS] Re: Certificate Hash Types extension
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Mike <mike-list@pobox.com> writes: > Now I'm adding support for it in my server and I have a > question about it: should the client order the list of > supported hash algorithms in its order of preference? > I would think this is a good idea, instead of leaving it > up to the server to decide. ... > In TLS 1.2, a CertificateRequest message has a list > of HashTypes specifying the acceptable hashes used > in certificate signatures. There is no guidance > on the ordering of these values. I would suggest > that the server should specify them in the order > that it prefers. The client would scan the list > in order, and return a certificate using the first > matching hash algorithm. I had the same reaction to both of these issues. I agree that it would be more useful if the lists are in preference order. Generally, is there a reason the certificate hash type mechanism isn't defined in a symmetrical way? I mean, by using a new extension for both directions. /Simon _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Certificate Hash Types extension Mike
- [TLS] Re: Certificate Hash Types extension Simon Josefsson