Re: Handling signature_algorithm extension on TLS1.3 server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> On Jun 7, 2019, at 12:07 PM, Hubert Kario <hkario@xxxxxxxxxx> wrote:
> 
> OTOH, the practice in TLS 1.2, and behaviour codified in TLS 1.3 RFC, is that 
> if you have just one chain, give it to client and let it sort out if it likes 
> it or not

Absolutely.  The text in RFC5246 is a specification overreach from TLS into
X.509 that is counterproductive in practice.  We should not implement the
part of RFC5246 that would have the server fail the handshake when its
certificate chain has *potentially* unsupported signatures.  Deciding
whether the chain is OK (or even looked at all) is up to the client.

-- 
	Viktor.





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux