The specification of the new signature_algorithms_cert seems somewhat lacking to me. There is very little description about how it should be interpreted. About the best I can get from the spec is this:
The "signature_algorithms_cert" extension applies to signatures in certificates and the "signature_algorithms" extension, which originally appeared in TLS 1.2, applies to signatures in CertificateVerify messages. But in section 4.4.2.2 we see this: All certificates provided by the server MUST be signed by a signature algorithm that appears in the "signature_algorithms" extension provided by the client, if they are able to provide such a chain (see Section 4.2.3). Certificates that are self-signed or certificates that are expected to be trust anchors are not validated as part of the chain and therefore MAY be signed with any algorithm. Is this an oversight? Should this reference "signature_algorithms_cert" as well/instead? Some questions: - Is "signature_algorithms_cert" mandatory to implement for servers? It does not appear in 9.2 so I am assuming not. There is some text in 4.2.3 which says what to do if "signature_algorithms_cert" is not present - which seems to confirm that it is not mandatory for clients at least. - Are we allowed to ignore "signature_algorithms_cert" if we can't build a chain and honour its contents? Matt _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
