Re: TLS 1.2 server

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TLS 1.2 server

From:	Daiki Ueno
Subject:	Re: TLS 1.2 server
Date:	Wed, 30 Sep 2009 19:47:12 +0900
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/23.1.50 (gnu/linux)

>>>>> In <address@hidden> 
>>>>>   Simon Josefsson <address@hidden> wrote:
> What do you think we should do about the CertificateRequest
> supported_signature_algorithms field?  I think the application may want
> to look at the server preference when deciding which certificate to use,
> and GnuTLS may want to use this information internally too, when it is
> selecting the certificate.

I have thought of something like:

* Provide the following default ordering of algorithms:

  RSA_SHA512(*)
  RSA_SHA384(*)
  RSA_SHA256(*)
  RSA_SHA1(+)
  DSA_SHA1(+)

  * is only available if RSA certificate is given
  + is only available if DSA certificate is given

* The application may supply the preference through a priority string
  like this: "+SIGN_RSA_SHA256:-SIGN_RSA_SHA384:!SIGN_RSA_SHA1", where
  "+" moves the given algorithm to the top, "-" moves it to the bottom,
  and "!"  disables it.

Any thoughts?

Regards,
-- 
Daiki Ueno

[Prev in Thread]

Current Thread

[Next in Thread]

TLS 1.2 server, Daiki Ueno, 2009/09/29
- Re: TLS 1.2 server, Simon Josefsson, 2009/09/30
  - Re: TLS 1.2 server, Daiki Ueno <=
    - Re: TLS 1.2 server, Simon Josefsson, 2009/09/30
  - Re: TLS 1.2 server, Simon Josefsson, 2009/09/30
    - Re: TLS 1.2 server, Daiki Ueno, 2009/09/30
    - Re: TLS 1.2 server, Simon Josefsson, 2009/09/30
    - Re: TLS 1.2 server, Daiki Ueno, 2009/09/30

Prev by Date: Re: TLS 1.2 server
Next by Date: Re: TLS 1.2 server
Previous by thread: Re: TLS 1.2 server
Next by thread: Re: TLS 1.2 server
Index(es):
- Date
- Thread