[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [TLS] "Last call" on draft-altman-tls-channel-bindings-05.txt
On Thu, Aug 20, 2009 at 12:25:38AM +0200, Simon Josefsson wrote:
> Nicolas Williams <Nicolas.Williams@xxxxxxx> writes:
> > But I don't want to guess at what might happen in the future
> > of digital signatures.
>
> I agree, we could decide to not resolve this concern.
>
> > Instead I'd rather either say either that tls-server-end-point CB is
> > undefined if the cert's signature alg does not use a signature, or
> > pick a hash function (e.g., SHA-512) to use in such cases.
>
> If use of SHA-512 is hard-coded, we run into problem when it is phased
> out. Negotiation any other hash function will be tricky. Alas, I'm not
> sure leaving it undefined is any better: negotiating what hash function
> to use in that situation seems equally tricky.
I chatted with Jeff Hutzelman about this, and we both concluded that
leaving tls-server-end-point undefined in this case is acceptable
because we could change the spec to define tls-server-end-point for such
signature algorithms when they arise.
> This is one reason where deriving channel binding data from the TLS
> channel using tls-extractor appears more robust: it leaves negotiation
> of the hash function to the TLS protocol.
tls-unique does that already (though not using the extractor). We're
talking about end-point channel binding types here, which are
independent of actual channels, therefore we couldn't use the extractor.
Nico
--