Re: [TLS] Using RSA PSS in TLS

Santosh Chokhani <> Mon, 14 October 2013 11:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A1AFE21F8235 for <>; Mon, 14 Oct 2013 04:19:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sZG2faGDu9VX for <>; Mon, 14 Oct 2013 04:19:39 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id D1C6E11E8138 for <>; Mon, 14 Oct 2013 04:19:26 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.93,491,1378872000"; d="scan'208";a="797161"
Received: from unknown (HELO ([]) by with ESMTP; 14 Oct 2013 07:19:22 -0400
Received: from ([fe80::d8df:b0bd:28be:ad62]) by ([fe80::d8df:b0bd:28be:ad62%15]) with mapi id 14.02.0247.003; Mon, 14 Oct 2013 07:19:21 -0400
From: Santosh Chokhani <>
To: "<>" <>
Thread-Topic: [TLS] Using RSA PSS in TLS
Thread-Index: Ac7Iy0cmau3rIVDa0kibla0EcHL4eAAAj5uQAABolkA=
Date: Mon, 14 Oct 2013 11:19:20 +0000
Message-ID: <>
References: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [TLS] Using RSA PSS in TLS
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Oct 2013 11:19:45 -0000

Oops.  My bad.  I mixed up signature algorithms with SPKI.

-----Original Message-----
From: Santosh Chokhani 
Sent: Monday, October 14, 2013 7:09 AM
To: <>
Subject: RE: [TLS] Using RSA PSS in TLS

Since ECDHE_RSA or DHE_RSA says that the Server public key is RSA, the SPKI in the Server certificate would indicate it is RSA 1.5 or PSS and you do not need additional cipher suites.

-----Original Message-----
From: [] On Behalf Of Peter Gutmann
Sent: Monday, October 14, 2013 6:59 AM
To: <>
Subject: Re: [TLS] Using RSA PSS in TLS

=?UTF-8?B?SGFubm8gQsO2Y2s=?= <> writes:

>legacy compatibility is exactly the point. Implementations must be 
>prepared to communicate to servers / clients that do not support the new version.

Never underestimate that amount of weight that carries.  There was an attempt, some years ago, to mandate RSA-PSS for certificates.  It met with pretty much universal rejection, to the extent that people would probably ignore the requirement even if it was made a MUST in the spec (at the time it was described as "X9.42 all over again", a reference to another MUST that everyone ignored), and as a result was dropped.

The problem with -PSS is that it doesn't real fix anything in -1.5 (I know it's *theoretically* better, but unless you do -1.5 really badly there's no practical weakness that would encourage an upgrade).  Counting against that is the near-insurmountable cost of a changeover (everyone has to redeploy global crypto infrastructure from scratch).

TLS mailing list