On 03/29/2017 10:29 AM, Subodh Iyengar wrote: > > > > > Do we want to leave the valid SignatureSchemes as all that are > defined, or mention the Recommended column in the registry, or narrow > things even further? In other words, should we give some guidance for > how to select a scheme to use? > > It's restricted to the ones that are supported by the client in TLS > 1.3. I don't see TLS recommending signature algorithms to use beyond > section 4.2.3 that "rsa_pkcs1_sha1, dsa_sha1, and ecdsa_sha1 SHOULD > NOT be offered.". What kind of a recommendation would you like to see. > Would love a pull request at https://github.com/ekr/tls-subcerts/pulls > <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ekr_tls-2Dsubcerts_pulls&d=DwMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=sssDLkeEEBWNIXmTsdpw8TZ3tAJx-Job4p1unc7rOhM&m=MX_8eP9NvbNaOiSC3ukAcNUD_L0Q6aEVZRPgnjTFQDg&s=ov37thVJjJShsq7fMsmzBtxCvl51V6TYvHzAwfC7MvI&e=> > to > get a general idea of what you would like to see. > >
All I had in mind was like one sentence when talking about the interpretation of the 'scheme' field of DelegatedCredential: "The scheme is taken from the TLS SignatureSchemes registry [RFCTLS1.3], and schemes recommended for use in TLS are also recommended for use in delegated credentials." Arguably not needed at all, but perhaps gives a bit more clarity. -Ben
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
