[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] "Last call" on draft-altman-tls-channel-bindings-05.txt

To: Simon Josefsson <simon@xxxxxxxxxxxxx>
Subject: Re: [TLS] "Last call" on draft-altman-tls-channel-bindings-05.txt
From: Nicolas Williams <Nicolas.Williams@xxxxxxx>
Date: Wed, 19 Aug 2009 17:22:29 -0500
Cc: ietf-sasl@xxxxxxx, tls@xxxxxxxx
In-reply-to: <20090819212223.GN1043@xxxxxxx>
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
References: <20090818213427.GU1043@xxxxxxx> <87ljlgbv2a.fsf@xxxxxxxxxxxxxxxxxxx> <20090819212223.GN1043@xxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Mutt/1.5.7i

On Wed, Aug 19, 2009 at 04:22:24PM -0500, Nicolas Williams wrote:
> On Wed, Aug 19, 2009 at 12:45:17AM +0200, Simon Josefsson wrote:
> > For completeness, I would add:
> > 
> >    This algorithm agility resolution mechanism assumes that there is a
> >    mapping from every Public-key signature algorithm to one hash
> >    function algorithm.  This is the case for all practically used public
> >    key signature algorithms today, but if future public-key signature
> >    algorithms would employ multiple hash functions (or none at all) this
> >    specification needs to be updated to resolve which hash function
> >    should be used.
> 
> This brings up a question: what to do in the case of randomized digital
> signatures?  In the case of NIST-SP-800-106 there's still a hash
> function, so that's OK.  But one can imagine a digital signature
> algorithm where a MAC and random key are used instead of a hash.
> 
> ...
> 
> But I don't want to guess at what might happen in the future
> of digital signatures.  Instead I'd rather either say either
> that tls-server-end-point CB is undefined if the cert's
> signature alg does not use a signature, or pick a hash
> function (e.g., SHA-512) to use in such cases.

After asking others I propose the former solution:

   Description: The hash of the TLS server's certificate [RFC5280] as it
   appears, octet for octet, in the server's Certificate message (note
   that the Certificate message contains a certificate_list, the first
   element of which is the server's certificate.)

   The hash function is to be selected as follows:

    - if the certificate's signatureAlgorithm uses a single hash
      function, and that hash function is either MD5 [RFC1321] or SHA-1
      [RFC3174] then use SHA-256 [FIPS-180-2];

    - if the certificate's signatureAlgorithm uses a single hash
      function and that hash function neither MD5 nor SHA-1, then use
      the hash function associated with the certificate's
      signatureAlgorithm;

    - if the certificate's signatureAlgorithm uses no hash functions, or
      multiple hash functions, then this channel binding type's channel
      bindings are undefined at this time (updates to is channel binding
      type may occur to address this issue if it ever arises).

Nico
--

References:
- "Last call" on draft-altman-tls-channel-bindings-05.txt
  - From: Nicolas Williams
- Re: "Last call" on draft-altman-tls-channel-bindings-05.txt
  - From: Simon Josefsson
- Re: "Last call" on draft-altman-tls-channel-bindings-05.txt
  - From: Nicolas Williams

Prev by Date: Re: "Last call" on draft-altman-tls-channel-bindings-05.txt
Next by Date: Re: "Last call" on draft-altman-tls-channel-bindings-05.txt
Previous by thread: Re: "Last call" on draft-altman-tls-channel-bindings-05.txt
Next by thread: Re: "Last call" on draft-altman-tls-channel-bindings-05.txt
Index(es):
- Date
- Thread