Hi
One issue that came up during WGLC for 4492bis is the way EdDSA signatures are
mentioned in SignatureAndHashAlgorithm and in
In TLS 1.2 and 4492bis we have a SignatureAndHashAlgorithm struct with one byte
for hash algorithm and another for signature algorithm.. The HashAlgorithm can
be None(0), sha1(2), and a few more going up to sha512(6). The
SignatureAlgorithm can be anon(0), rsa(1), dsa(2), and ecdsa(3). 4492bis adds a
new value to SignatureAlgorithm for EdDSA (TBD5).
Additionally, 4492bis requests two new NamedCurve values for ed25519 and ed448.
4492bis requires to use the None(0) HashAlgorithm with EdDSA. So to declare
support for both curves of EdDSA, you’re expected to have (0x00,TBD5) in
signature_algorithms and both new curves in elliptic_curves.
TLS 1.3 replaces the signature_algorithms internal structure with a simple list
of 16-bit values, but the old values are kept. So RSA with SHA1 is now 0x0201
instead of (0x02,0x01). However, for EdDSA the draft assigns two values:
0x0807 for Ed25519 and 0x0808 for Ed448. Bringing that back to the TLS 1.2
structure, it would mean that 0x08 is a new hash algorithm (that doesn’t really
do anything) and 0x07 and 0x08 are two distinct signature algorithms (rather
than the same algorithm, but with different curves). So four options here:
1. Leave it as its current inconsistent state
2. Change 4492bis:
a. no new curves for ed25519 and ed448.
b. Two new signature algorithms, and request values 7 and 8 for them.
c. new hash algorithm 0x08 and call it something like “intrinsic”
3. Change TLS 1.3, by using 0x0007 for both EdDSA signature_algorithms and add
two values to supported_groups.
4. A hybrid of 2 & 3:
a. No new curves for 4492bis
b. Two new signature algorithms with values 0x07 and 0x08
c. TLS 1.3 will modify the values to 0x0007 and 0x0008
There may be more options possible
What do people think?
Yoav
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
