Hi list, I am sorry for the very late answer concerning draft 18, but we (ANSSI) have several remarks after proof-reading the current specification.
We are sorry for the multiple long messages. If the WG is interested by some of our concerns/proposals, we would be glad to propose some PRs. = Signature in certificates = The two paragraphs in 4.4.1.2 P.56 starting with "All certificates" are very far from clear. They require (MUST) some behaviour, which is later reformulated with an unless part. I am not sure of the intent here, but we believe the current text should be rewritten to clearly express the intent of the WG. My comprehension is that the server MUST use only signature schemes described in signature_algorithms, except for the following cases: - for checking the signature in self-signed or trust anchors (since this check is useless, the trust coming from an out-of-band mechanism in this case) - when the only available chains use signature scheme are not known to be supported by the client - the case of SHA-1 is special The same confusion can be found in 4.4.2 P.59 ("If sent by a server...") Olivier Levillain _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls