[Top] [All Lists]

Re: Algorithm Identifiers in sip-sec-flows

2008-07-14 12:05:27

On Mon, Jul 14, 2008 at 11:16:58AM -0700, Eric Rescorla wrote:
   Implementations SHOULD generate SHA-1
   AlgorithmIdentifiers with absent parameters.
However, as far as I can tell OpenSSL currently generates the encoding
with NULL rather than absent, and my memory is that the last time I
discussed this with the OpenSSL implementors, they weren't interested
in changing this.

When we were last working on this a few years ago, I got some message
from Fluffy saying that we should try to generate an encoding with
absent regardless. I spent some time patching OpenSSL to make it do
this, but upon reexamination, it seems kind of lame to have an example
in the draft that requires some one-off patch to generate, so I
thought it might be a good idea to get some more advice from the WG.
I'm not suggesting we change 3370, but is it really necessary to
have examples which need to be hand-tooled?

From RFC 2119:

  3. SHOULD   This word, or the adjective "RECOMMENDED", mean that there
     may exist valid reasons in particular circumstances to ignore a
     particular item, but the full implications must be understood and
     carefully weighed before choosing a different course.

I say that the OpenSSL implementation emitting NULL and the prevalence of
that implementation constitutes a valid reason in a particular circumstance,
and the full implication is understood (receiving implementations MUST support
NULL). This email exchange constitutes careful weighing before choosing a
different course.

So emit NULL and feel bad about it. You might consider submitting the patch to
OpenSSL anyway though.


<Prev in Thread] Current Thread [Next in Thread>