Re: [dnsext] RSA algorithm padding in RFC 5702, RSASSA-PSS

Paul Wouters <> Thu, 21 October 2010 21:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AEA813A6A27; Thu, 21 Oct 2010 14:47:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.129
X-Spam-Status: No, score=-1.129 tagged_above=-999 required=5 tests=[AWL=-1.130, BAYES_00=-2.599, MANGLED_BACK=2.3, MIME_8BIT_HEADER=0.3]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id g1aO7ApuFtSi; Thu, 21 Oct 2010 14:47:24 -0700 (PDT)
Received: from ( [IPv6:2001:418:1::62]) by (Postfix) with ESMTP id E89FB3A6845; Thu, 21 Oct 2010 14:47:23 -0700 (PDT)
Received: from majordom by with local (Exim 4.72 (FreeBSD)) (envelope-from <>) id 1P92v8-000E26-3c for; Thu, 21 Oct 2010 21:43:34 +0000
Received: from ([]) by with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72 (FreeBSD)) (envelope-from <>) id 1P92v4-000E16-Hz for; Thu, 21 Oct 2010 21:43:30 +0000
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTP id C482FC2F9; Thu, 21 Oct 2010 17:43:27 -0400 (EDT)
Date: Thu, 21 Oct 2010 17:43:27 -0400 (EDT)
From: Paul Wouters <>
To: =?ISO-8859-15?Q?Hanno_B=F6ck?= <>
cc: namedroppers <>
Subject: Re: [dnsext] RSA algorithm padding in RFC 5702, RSASSA-PSS
In-Reply-To: <>
Message-ID: <>
References: <>
User-Agent: Alpine 1.10 (LFD 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8BIT
Precedence: bulk
List-ID: <>
List-Unsubscribe: To unsubscribe send a message to with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <>

On Wed, 20 Oct 2010, Hanno Böck wrote:

> I'm currently working on a study project about RSASSA-PSS. This is a padding
> variant with security proofs and standardized within PKCS #1 2.1.
> I saw that dnssec currently seems to use the old PKCS #1 1.5 padding methods
> (RFC 5702, Section 3). I wonder if there was any discussion about that
> decision (there is some hint in section 8.1). RFC 5702 was published in 2009,
> so it's a pretty new standard.
> Are there any plans to support algorithms with EMSA-PSS-padding within dnssec
> in the future?

I brought this up a year or two ago, when RSASHA256 was getting
specified.  Specifically, I argued the IETF itself had already
recommended moving from PKCS 1.1.5 to RSASSA-PSS in 2003:

At the time the concensus seemed to be that RSASSA-PSS was less
standarised and less available in crypto libraries, and the gains on
theoretical security would be lost in practical implementation issues
(interop issues, implementation mistakes, etc)

I can't find the thread but I think it was on the dnssec-deployment or dnsext list.