Re: [TLS] PR to clarify RSASSA-PSS requirements
Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 22 November 2017 19:30 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F21B129C35 for <tls@ietfa.amsl.com>; Wed, 22 Nov 2017 11:30:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LhwWR2Y-8IRX for <tls@ietfa.amsl.com>; Wed, 22 Nov 2017 11:30:45 -0800 (PST)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC92F1296C9 for <tls@ietf.org>; Wed, 22 Nov 2017 11:30:45 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id A162B5DE3E; Wed, 22 Nov 2017 21:30:43 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id znykbiTWkPED; Wed, 22 Nov 2017 21:30:43 +0200 (EET)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 4924627B; Wed, 22 Nov 2017 21:30:41 +0200 (EET)
Date: Wed, 22 Nov 2017 21:30:40 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Peter Wu <peter@lekensteyn.nl>, tls@ietf.org
Message-ID: <20171122193040.GA22445@LK-Perkele-VII>
References: <20171122035404.GC18321@al> <1511340124.22935.27.camel@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <1511340124.22935.27.camel@redhat.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1u5pPLXxIH4LgouVgzOFTK_S2UI>
Subject: Re: [TLS] PR to clarify RSASSA-PSS requirements
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Nov 2017 19:30:48 -0000
On Wed, Nov 22, 2017 at 09:42:04AM +0100, Nikos Mavrogiannopoulos wrote: > On Wed, 2017-11-22 at 03:54 +0000, Peter Wu wrote: > > Hi, > > > > At the moment there is still ambiguity in the requirements for PSS > > with > > relation to certificates. Proposal to clarify this: > > https://github.com/tlswg/tls13-spec/pull/1098 > > > > > > This PR intends to clarify the requirements for PSS support. > > Hi, > I commented on the PR, but to provide more context. I believe RSA-PSS > keys without parameters MUST be supported under TLS1.3. The reason is > that keys explicitly marked as RSA-PSS cannot be used for RSA PKCS#1 > 1.5 encryption, and thus they provide a way for the server to know that > it must protect that key against (cross-protocol) attacks which utilize > RSA ciphersuites under TLS1.2. Furthermore, this would also let the client know that the key itself is not likely to be subject to DROWN-type issues. This becomes extremely significant when considering things like Delegated Credentials (WG document now). E.g., I consider it unacceptable risk to accept DCs signed with RsaEncryption keys. _Even_ if the certificate has an additional extension. > On why you don't want mixing keys for TLS1.3 and TLS1.2 RSA > ciphersuites, see all the bleichenbacher attack reiterations over the > years. There was a rather nasty one just very recently. > So what about distinguishing the RSA-PSS keys with and without > parameters: > > "an RSASSA-PSS public key (OID id-RSASSA-PSS) without parameters MUST > be supported, while an RSASSA-PSS public key (OID id-RSASSA-PSS) with > parameters MAY be supported`." +1 -Ilari
- [TLS] PR to clarify RSASSA-PSS requirements Peter Wu
- Re: [TLS] PR to clarify RSASSA-PSS requirements Eric Rescorla
- Re: [TLS] PR to clarify RSASSA-PSS requirements Nikos Mavrogiannopoulos
- Re: [TLS] PR to clarify RSASSA-PSS requirements Peter Wu
- Re: [TLS] PR to clarify RSASSA-PSS requirements Peter Wu
- Re: [TLS] PR to clarify RSASSA-PSS requirements Nikos Mavrogiannopoulos
- Re: [TLS] PR to clarify RSASSA-PSS requirements Hubert Kario
- Re: [TLS] PR to clarify RSASSA-PSS requirements Ilari Liusvaara
- Re: [TLS] PR to clarify RSASSA-PSS requirements Peter Wu