On 07/08/10 15:22, [email protected] wrote:
Your other question: why not have a separate sigalg and hashalg? According to most other conventions, the two are kept together in one string.OpenSSL uses this approach: http://www.openssl.org/docs/apps/ciphers.html Sendmail uses a similar approach, but spells out the hash bits explicitly in the header: (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
Under the covers, protocols like X.509 which use OID's for codepoints typically use a single OID to identify a (pk alg, hash alg) pair; there may not be an OID defined for all possible combinations of hashes and signature algorithms. Some combinations of (pk alg, hash alg) might not even be sensible -- for instance, it makes no sense to use a hash function with an output too big to be directly signed by the public key algorithm.
TLS and SSL specifically use a "cipher suite" approach where a single identifier picks a complete set of algorithms and algorithm size parameters.
_______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
