This seems like a good change. I'll merge it before -16 unless someone objects.
On Tue, Sep 20, 2016 at 8:56 AM, David Benjamin <david...@chromium.org> wrote: > On Tue, Sep 20, 2016 at 11:33 AM Ilari Liusvaara <ilariliusva...@welho.com> > wrote: > >> On Tue, Sep 20, 2016 at 03:07:51PM +0000, David Benjamin wrote: >> > Hi folks, >> > >> > I've just uploaded this PR to slightly tweak SignatureScheme numbering: >> > https://github.com/tlswg/tls13-spec/pull/641 >> > >> > In principle, we should only have needed to burn values starting with >> known >> > HashAlgorithms, but TLS 1.2 said: >> > >> > signature >> > This field indicates the signature algorithm that may be used. >> > The values indicate anonymous signatures, RSASSA-PKCS1-v1_5 >> > [PKCS1] and DSA [DSS], and ECDSA [ECDSA], respectively. The >> > "anonymous" value is meaningless in this context but used in >> > Section 7.4.3. It MUST NOT appear in this extension. >> > >> > We'd started RSA-PSS along the train to get shipped in Chrome to get >> early >> > warning on any interoperability issues. We ran into an implementation >> which >> > enforced this MUST NOT. It's a MUST NOT in 1.2, so it seems prudent to >> > allocate around it and avoid ending in known SignatureAlgorithms. Thus, >> > rather than only burning {0x00-0x06, *}, we also burn {*, 0x00-0x03}. >> This >> > has the added benefit that TLS 1.2 dissector tools don't get confused. >> >> Heck, I think one could put the RSA-PSS ones as 0404, 0504 and 0604, >> as those do have the indicated "prehashes". >> >> And one could probably also stick Ed25519/Ed448 in 00xx, as those have >> no prehash, which is exactly what "hash #0" is about. >> >> (Of course, this all is pretty pointless bikeshedding). >> > > The ecdsa_p256_sha256 business means that the old scheme isn't quite > accurate. And if we are to drop the old scheme, it was intentional on my > part that RSA-PSS did not look like it, even though it still fit. I think > that paid off. No one's going to implement Ed25519 for a while, so RSA-PSS > is our smoke test that this SignatureScheme idea is sane. (Both for interop > and for making sure removing the hash/sig decomposition in implementations > internally is sound.) > > David > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
