The string over which the delegation signature is computed contains the `SubjectPublicKeyInfo` of the DC public key. This in turn contains an `AlgorithmIdentifier`. Does an X.509 `AlgorithmIdentifier` determine a unique TLS `SignatureScheme`?
If not, this might lead to key agility issues, since the server could indicate a different signature algorithm (via the `signature_scheme` extension) than it uses to sign the handshake. I'm not sure if this leads to an attack, but it's a bit ugly. What we could do is replace the `SubjectPublicKeyInfo` with the DER-encoded public key and the SignatureScheme. This way the delegation signature binds to the DC to the signature_algorithm indicated by the server. This design would seem to be inline with the goal of having the simplest possible semantics for delegated credentials. Comments are welcome. See also the issue on GitHub: https://github.com/tlswg/tls-subcerts/issues/4 Chris Patton
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
