On 10/21/2020 1:01 PM, Jamil Nimeh wrote:
I'm not very sure why EdDSA cannot apply to ServerKeyExchange and
CertificateVerify in TLS 1.0 and 1.1. ServerKeyExchange and
CertificateVerify is used to authenticate the server or the client's
possession of the private key of the cert. So if EdDSA cannot be used
for them, the EdDSA certificate should not be selected for TLS 1.0/1.1
as well. I did not read the RFC fully yet, it looks like that EdDSA
can be used for TLS 1.0/1.1 ServerKeyExchange and CertificateVerify as
well. I may miss something.
JN: So far I have yet to find a server implementation that will accept a
1.0/1.1 client hello with no signature_algorithms extension and not
barf.
It's OK if we don't want to support EdDSA for TLS 1.0/1.1 for some
reason. Although I would prefer to support for better interoperability.
I did not get the idea of the CSR. It may be nice to have a explicit
statement that we don't support certificates of EdDSA-capable public key
for TLS 1.0 and 1.1.
Xuelei
