Hi, The latest TLS 1.3 draft re-uses the sha256(4), sha384(5), sha512(6) with ecdsa(3) signature algorithms IDs for the following signature algorithms: /* ECDSA algorithms */ ecdsa_secp256r1_sha256(0x0403), ecdsa_secp384r1_sha384(0x0503), ecdsa_secp521r1_sha512(0x0603),
These are similar but have different semantics; as indicated by their name they can be used with a single curve. That makes the handshake conversation something like: Client: Use ecdsa_secp256r1_sha256 under TLS 1.3 or ecdsa with whichever curve and sha256 if under TLS 1.2. That apart from being confusing, means that a client which is willing to fallback to TLS 1.2 cannot restrict its options to ecdsa_secp256r1_sha256 (i.e., require the secp256r1 curve for signatures). One could work-around it, by utilizing the elliptic curves extension, but that has also different semantics under TLS 1.3. So my question is why not go for the simpler approach and create new identifiers for the new signature algorithms? (similarly to RSA-PSS). Is there an advantage of re-using the ECDSA signature algorithm identifiers to mean something different in TLS 1.3? Was there some discussion on the topic on the list? [0]. https://github.com/tlswg/tls13-spec/issues/1035 _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
