On Fri, Sep 18, 2020 at 10:28 AM Sean Turner <s...@sn3rd.com> wrote: > Also, should we be adding “_legacy” to the names of the code points as was > done for rsa_pkcs1_sha256_legacy by: > https://www.ietf.org/archive/id/draft-davidben-tls13-pkcs1-00.txt? >
My inclination is no. We didn't go about renaming the huge mess of TLS cipher suites or anything else that I remember. The "_legacy" suffix in that draft has a slightly different meaning (perhaps I should have picked a different name). The existing rsa_pkcs1_sha256 code points from TLS 1.2 were carried over into TLS 1.3 but with a subsetted meaning. In TLS 1.2, rsa_pkcs1_sha256 advertises both TLS and X.509 capabilities, but in TLS 1.3 it advertises only X.509 capabilities. rsa_pkcs1_sha256 is undefined for a TLS CertificateVerify because we took PKCS#1 v1.5 out. So, in order for TLS 1.3 servers to opt into accepting PKCS#1 v1.5 signatures in CertificateVerify, the draft needed to define new code points with a CertificateVerify capability. rsa_pkcs1_sha256_tls1_3_certificate_verify_for_legacy_clients was a mouthful, so I just added a "legacy" suffix. :-) David
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls