Valery Smyslov writes: > > This is the reason why the RFC7427 only negotiates the hash algorithm, > > and the section 5 of the RFC 7427 gives several ways of solving this > > issue without doing protocol changes. > > No, section 5 is about a different problem: how to select > a proper certificate, if we have several certificates containing > public keys for different signature algorithms.
Not true. It is how to select public key algorithm to use, and that boils down selecting suitable private/public key pair from your own private / public key pairs. When you have selected your private key you want to use that will then dicatate which public key you are going to using and also the certificate you are going to use. Even if you can use same private key for PKCS#1 and RSA-PSS, does not mean that you should do it. Using same key for different algorithms breaks the key separation principle, and I think that is considered bad idea. > Now we have the only certificate (or raw key), but we don't > know how to use it, because there are more than one way of > using it and the peer doesn't inform us what it supports. When you are generating the signature you have private key, and that should have algorithm associated to it... So when you select public key that will have one private key associated with it that has one algorithm associated to it etc. > RSASSA-PSS is just a specific problem we ran into, I suspect > we can have the same sort of problem in future with other signature > algorithms, provided their number is nowdays increasing > rapidly. If I remember right on discussion about the different elliptic curve algorithms, the situation was same there, i.e., even if you could use the same key for different algorithms, it is considered bad idea... -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
