Hello all,
I am not certain whether the issue of multiple signature algorithms has previously come up in the TLS 1.3 discussion and was wondering if this is something we need to consider. As many of you know, updating roots of trust to support quantum-resistant algorithms in various devices may be a fairly urgent issue. Fortunately, we can use hash-based algorithms for that soon. Hash-base algorithms can even be used in end-entity certificates for code signing. Now, I am wondering if we will ever have a situation where we will need to support certificate chains in TLS where CA certificates use hash-based algorithms and end-entity certificates use some new stateless signature algorithm. If that is the case, we will need to support multiple digital signatures in one certificate chain. Does TLS 1.3 currently permit negotiating multiple signature algorithms? Admittedly I don’t quite have the current draft memorized, but a cursory reading of v21 seems to suggest that it does not allow for multiple algorithms; simply that the client sends an ordered list of preferred algorithms and the server selects one of them. If not, then does anyone think it is worthwhile to add this functionality to TLS 1.3? Thanks in advance, Philip Lafrance
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
