Hi,
In TLS 1.3, my understanding is that the digest function negotiated
using the Signature Algorithm should be used for generating
CertificateVerify, since the draft states that:

## Advertising

| Each SignatureScheme value lists a single signature algorithm that
the client is willing to verify.
| (section 4.2.3)
| The Hash function and the HKDF hash are the cipher suite hash
algorithm. Hash.length is its output length.
| (section 7.1)
The draft permits fullbacking back to using SHA1 certificates:
| TLS 1.3 servers MUST NOT offer a SHA-1 signed certificate unless no
valid certificate chain can be produced without it.
| (section 4.2.3)
However, the draft also states:
| SHA-1 MUST NOT be used in any signatures in CertificateVerify. All
SHA-1 signature algorithms in this specification are defined solely
for use in legacy certificates, and are not valid for
CertificateVerify signatures.
| (section 4.4.2)
So my question is, which signature algorithm am I supposed to use for
a rsa_pkcs1_sha1 certificate? I'd assume that the answer is
rsa_pss_sha256, but I could not find any such indication within the
draft.
--
Kazuho Oku
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls