Hi, In TLS 1.3, my understanding is that the digest function negotiated using the Signature Algorithm should be used for generating CertificateVerify, since the draft states that:
| Each SignatureScheme value lists a single signature algorithm that the client is willing to verify. | (section 4.2.3) | The Hash function and the HKDF hash are the cipher suite hash algorithm. Hash.length is its output length. | (section 7.1) The draft permits fullbacking back to using SHA1 certificates: | TLS 1.3 servers MUST NOT offer a SHA-1 signed certificate unless no valid certificate chain can be produced without it. | (section 4.2.3) However, the draft also states: | SHA-1 MUST NOT be used in any signatures in CertificateVerify. All SHA-1 signature algorithms in this specification are defined solely for use in legacy certificates, and are not valid for CertificateVerify signatures. | (section 4.4.2) So my question is, which signature algorithm am I supposed to use for a rsa_pkcs1_sha1 certificate? I'd assume that the answer is rsa_pss_sha256, but I could not find any such indication within the draft. -- Kazuho Oku _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
