On 4 July 2017 at 07:43, Nikos Mavrogiannopoulos <[email protected]> wrote: > So my question is why not go for the simpler approach and create new > identifiers for the new signature algorithms? (similarly to RSA-PSS). > Is there an advantage of re-using the ECDSA signature algorithm > identifiers to mean something different in TLS 1.3? Was there some > discussion on the topic on the list?
This was fairly extensively litigated. I remember Hannes asking exactly the same question, but I forget which in-person meeting it was. It might have been IETF 97. Unfortunately, any search I do on this subject turns up the hundreds of emails on using signature algorithms for selecting certificates. What I've found is that this isn't that difficult to implement correctly, even across versions. As David Benjamin suggested in earlier emails, you can change to using a 16-bit codepoint in your code. Then you add a curve-matching restriction if the selected version is TLS 1.3 (or greater). The only issues we had was with the functions it uses to configure the stack, but those are internal issues. _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
