Re: [TLS] RSA-PSS in TLS 1.3

Andrey Jivsov <crypto@brainhub.org> Wed, 06 July 2016 20:16 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99BCA12D64F for <tls@ietfa.amsl.com>; Wed, 6 Jul 2016 13:16:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5MsAUYXL2-_L for <tls@ietfa.amsl.com>; Wed, 6 Jul 2016 13:16:22 -0700 (PDT)
Received: from resqmta-po-05v.sys.comcast.net (resqmta-po-05v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4888B12D623 for <tls@ietf.org>; Wed, 6 Jul 2016 13:16:22 -0700 (PDT)
Received: from resomta-po-01v.sys.comcast.net ([96.114.154.225]) by resqmta-po-05v.sys.comcast.net with SMTP id KtF6biKpl3MWRKtF6baOlx; Wed, 06 Jul 2016 20:16:20 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1467836180; bh=BCCpSCBzwJskTVqj6x/kKk4sgLkAivgAbjrwaY8usQ0=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=L41WeuljGxGvtpbvIL6A3UBShMPuOe6YtpcTYhuYrzJYEnc7RkvNkPnguxuP1tLdi YeyTlGDIsE1xOyh2AXTsySyTd5iU0wktIgx7OSIMypOgVs87opbOXdd7nnCMM/U4hh y2Dr0xUR/hLf4k2OQCN/LD5jDCepeuMLSi7exgZ6Nq2AQjRMSUO7wD7YNax7uDlwVx dspkTMgTTazhh6CwhZVR3C1yZ3NZhXQdkqUCUosLK7C2WJaeLMOXHxGCVEXcK6GFDk h67HqBrRyCD93v9RYdcWBLCce7q+LdK4tFMCcGTskvumQbsehel8u7+FDXUFQPee7L yt/1MY/06Tu6A==
Received: from [127.0.0.1] ([76.103.100.237]) by comcast with SMTP id KtF5bdAMZiy0wKtF5bs9SV; Wed, 06 Jul 2016 20:16:20 +0000
Message-ID: <577D6713.9030501@brainhub.org>
Date: Wed, 06 Jul 2016 13:16:19 -0700
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: tls@ietf.org
References: <20160303152945.18296912.40009.55386@ll.mit.edu> <2031124.N80aPK0KD4@pintsize.usersys.redhat.com> <20160308184131.GS10917@mournblade.imrryr.org> <2223470.EAoG62gjRo@pintsize.usersys.redhat.com> <CAOgPGoDq0r9CJETzmBvJTk+NNkCj1B=rwbtnD_e5-=VaRRdf=g@mail.gmail.com>
In-Reply-To: <CAOgPGoDq0r9CJETzmBvJTk+NNkCj1B=rwbtnD_e5-=VaRRdf=g@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
X-CMAE-Envelope: MS4wfNh3WAtFMV17rt6v7s+xq8v0BjOhvhsssxknTJqBshM6p1wI+jhV90sIBexz6uXHSM5KyxvFdjl7vdk/lPOIIkh86rksJHuNhKPlXlOd/ViKW6ra4NfX Oc5RB83Y1wx9qzK/B6rRVZZcoJ34Nj0H9XILhz9NtwmNcWVtk62XEIRp
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2ieiw7EoEQgAn2uZQ0Z8-VvKt4A>
Subject: Re: [TLS] RSA-PSS in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jul 2016 20:16:29 -0000

On 07/06/2016 10:23 AM, Joseph Salowey wrote:
> I don't think we ever call consensus on this topic.  It looks like there
> is rough consensus to move forward with RSA-PSS as the MUST implement
> algorithm for certificate verify in TLS 1.3 and not allow PKCS-1.5.  
> During the discussion it also seemed that it is realistic that we may
> want to add additional types in the future.  We may want better
> separation of signature types of certificates and certificate verify.  
> 
> Cheers,
> 
> J&S

Was it really the consensus that the group didn't want to allow PKCS-1.5
negotiated for handshake signatures (for certificate verifies)?

TLS 1.3 currently allows this agility for other signatures: the
signatures in X.509 certificates.

Nobody has objections to a MUST implement and MUST prefer RSA-PSS in TLS
1.3.