On Thu, Jul 08, 2010 at 03:50:48PM -0700, Bill Sommerfeld wrote: > On 07/08/10 15:22, [email protected] wrote: > >Your other question: why not have a separate sigalg and hashalg? > >According to most other conventions, the two are kept together in one > >string. > > > >OpenSSL uses this approach: > > > > http://www.openssl.org/docs/apps/ciphers.html > > > >Sendmail uses a similar approach, but spells out the hash bits > >explicitly in the header: > > > > (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) > > Under the covers, protocols like X.509 which use OID's for > codepoints typically use a single OID to identify a (pk alg, hash > alg) pair; there may not be an OID defined for all possible > combinations of hashes and signature algorithms. Some combinations > of (pk alg, hash alg) might not even be sensible -- for instance, it > makes no sense to use a hash function with an output too big to be > directly signed by the public key algorithm. > > TLS and SSL specifically use a "cipher suite" approach where a > single identifier picks a complete set of algorithms and algorithm > size parameters.
Yes, but that's exactly the question that's being debated here. Should the package have a separate attribute for each of pk alg and hash alg, or should we have one identifier that concisely represents both (or maps to those combinations of the two that we support)? -j _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
