On Thu, Oct 30, 2025 at 11:42:32AM +1100, Viktor Dukhovni wrote: > On Wed, Oct 29, 2025 at 12:10:59PM -0400, David Benjamin wrote: > > The rules in RFC 5929 are quite unfortunate because it means that the > > application needs to actually recognize the signature algorithm, in > > addition to breaking through the abstraction and decomposing it. It's > > similarly ill-defined for RSA-PSS, which uses a couple different hash > > functions, and need not match. This is particularly silly because the side > > presenting the certificate does not actually need to evaluate the > > certificate signature, and could be broadly opaque to it. > > (signature_algorithms_cert aside, but dispatching on that is not very > > common.) > > I strongly support the position that it is a bad idea to require > implementations to know the internals of what should be black box > constructions.
Sure, but here it's more a specification issue, it's just that those who specify signature algorithms don't know that they have to specify a hash function for this one purpose even if their signature algorithms don't make use of a hash function. _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
