[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: TLS 1.2 server
From: |
Daiki Ueno |
Subject: |
Re: TLS 1.2 server |
Date: |
Wed, 30 Sep 2009 19:47:12 +0900 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/23.1.50 (gnu/linux) |
>>>>> In <address@hidden>
>>>>> Simon Josefsson <address@hidden> wrote:
> What do you think we should do about the CertificateRequest
> supported_signature_algorithms field? I think the application may want
> to look at the server preference when deciding which certificate to use,
> and GnuTLS may want to use this information internally too, when it is
> selecting the certificate.
I have thought of something like:
* Provide the following default ordering of algorithms:
RSA_SHA512(*)
RSA_SHA384(*)
RSA_SHA256(*)
RSA_SHA1(+)
DSA_SHA1(+)
* is only available if RSA certificate is given
+ is only available if DSA certificate is given
* The application may supply the preference through a priority string
like this: "+SIGN_RSA_SHA256:-SIGN_RSA_SHA384:!SIGN_RSA_SHA1", where
"+" moves the given algorithm to the top, "-" moves it to the bottom,
and "!" disables it.
Any thoughts?
Regards,
--
Daiki Ueno