Hi One issue that came up during WGLC for 4492bis is the way EdDSA signatures are mentioned in SignatureAndHashAlgorithm and in
In TLS 1.2 and 4492bis we have a SignatureAndHashAlgorithm struct with one byte for hash algorithm and another for signature algorithm.. The HashAlgorithm can be None(0), sha1(2), and a few more going up to sha512(6). The SignatureAlgorithm can be anon(0), rsa(1), dsa(2), and ecdsa(3). 4492bis adds a new value to SignatureAlgorithm for EdDSA (TBD5). Additionally, 4492bis requests two new NamedCurve values for ed25519 and ed448. 4492bis requires to use the None(0) HashAlgorithm with EdDSA. So to declare support for both curves of EdDSA, you’re expected to have (0x00,TBD5) in signature_algorithms and both new curves in elliptic_curves. TLS 1.3 replaces the signature_algorithms internal structure with a simple list of 16-bit values, but the old values are kept. So RSA with SHA1 is now 0x0201 instead of (0x02,0x01). However, for EdDSA the draft assigns two values: 0x0807 for Ed25519 and 0x0808 for Ed448. Bringing that back to the TLS 1.2 structure, it would mean that 0x08 is a new hash algorithm (that doesn’t really do anything) and 0x07 and 0x08 are two distinct signature algorithms (rather than the same algorithm, but with different curves). So four options here: 1. Leave it as its current inconsistent state 2. Change 4492bis: a. no new curves for ed25519 and ed448. b. Two new signature algorithms, and request values 7 and 8 for them. c. new hash algorithm 0x08 and call it something like “intrinsic” 3. Change TLS 1.3, by using 0x0007 for both EdDSA signature_algorithms and add two values to supported_groups. 4. A hybrid of 2 & 3: a. No new curves for 4492bis b. Two new signature algorithms with values 0x07 and 0x08 c. TLS 1.3 will modify the values to 0x0007 and 0x0008 There may be more options possible What do people think? Yoav _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls