The parsing part will require some changes in a implementation responsible for certificate dispatching. Server (or client) will need to validate that chosen chain of certificates uses signature algorithms from signature_algorithms_cert list if it's received. There is an exception for root certificate, which needs to be taken into account.
Implementation can't change semantics which custom GetCertificate function expects
There is a case in which signature_algorithms and signature_algorithms_cert lists share some of the algorithms, but there is also rare corner case in which both lists could be disjoint. Implementation needs to take it into account (verification algorithm of leaf certificate doesn't need to be on a signature_algorithms_cert list)
Currently
signature_algorithms_certis implemented in a way that it's sent in a CH and CR, but never parsed when received. We use this extension in order to indicate that certificates with PSS padding are not supported (see https://github.com/cloudflare/tls-tris/pull/69#discussion_r174788397). This support has been added in (https://github.com/golang/go/commit/87867505c0dae0c9a9b3b93cc01ee8c5a30dc8bb) which will be released in go 1.11.signature_algorithms_certlist if it's received. There is an exception for root certificate, which needs to be taken into account.signature_algorithmsandsignature_algorithms_certlists share some of the algorithms, but there is also rare corner case in which both lists could be disjoint. Implementation needs to take it into account (verification algorithm of leaf certificate doesn't need to be on asignature_algorithms_certlist)Comments in this PR are valid only for TLS 1.3