In TLS 1.3, my understanding is that the digest function negotiated
using the Signature Algorithm should be used for generating
CertificateVerify, since the draft states that:

| Each SignatureScheme value lists a single signature algorithm that
the client is willing to verify.
| (section 4.2.3)

| The Hash function and the HKDF hash are the cipher suite hash
algorithm. Hash.length is its output length.
| (section 7.1)

The draft permits fullbacking back to using SHA1 certificates:

| TLS 1.3 servers MUST NOT offer a SHA-1 signed certificate unless no
valid certificate chain can be produced without it.
| (section 4.2.3)

However, the draft also states:

| SHA-1 MUST NOT be used in any signatures in CertificateVerify. All
SHA-1 signature algorithms in this specification are defined solely
for use in legacy certificates, and are not valid for
CertificateVerify signatures.
| (section 4.4.2)

So my question is, which signature algorithm am I supposed to use for
a rsa_pkcs1_sha1 certificate?  I'd assume that the answer is
rsa_pss_sha256, but I could not find any such indication within the

Kazuho Oku

TLS mailing list

Reply via email to