On Sat, Jan 16, 2016 at 11:01:12AM +0100, Hanno Böck wrote: > > > - rsapss_sha256 > > - rsapss_sha384 > > - rsapss_sha512 > > - ecdsa_p256_sha256 > > - ecdsa_p256_sha384 > > - ecdsa_p256_sha512 > > - ecdsa_p384_sha256 > > - ecdsa_p384_sha384 > > - ecdsa_p384_sha512 > > - ecdsa_p521_sha256 > > - ecdsa_p521_sha384 > > - ecdsa_p521_sha512 > > - eddsa_ed25519 > > - eddsa_ed448 > > Do we really need that many? > I think the "complexity zoo" of TLS is one of its current downsides and > I really think we should go with fewer options in the future. Can we > strip that down to - below 5 or something? (personal opinion: Strip > down to 2, but this may be too radical for now.)
Well, there already are 3 main signature schemes... Six of those on the list could be cut down (cutting the list to 8) for purposes of server signature. Unfortunately there might be more in certificate-to-certificate signatures. Also, I don't think having N signature algorithms is that bad (unless your TLS stack architecture is garbage, but then you have other problems anyway). But if that gets coupled to other things, you are in world of hurt. Such annoyances include the TLS_ECDHE_RSA_*/TLS_ECDHE_ECDSA_* cipher- suites, since RSA_PSS presumably uses _RSA_ and others use _ECDSA_. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
