Re: [TLS] RSA-PSS in TLS 1.3

Andrey Jivsov <> Mon, 29 February 2016 19:04 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 666C41B3A1F for <>; Mon, 29 Feb 2016 11:04:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id THiaAxsjX22t for <>; Mon, 29 Feb 2016 11:04:44 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400e:c03::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D6D401B3A19 for <>; Mon, 29 Feb 2016 11:04:43 -0800 (PST)
Received: by with SMTP id fy10so96478648pac.1 for <>; Mon, 29 Feb 2016 11:04:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=sender:subject:to:references:from:message-id:date:user-agent :mime-version:in-reply-to; bh=axTRso0TJPYaQxrdKLhxqchH22ZHhZX0e8cibH7v0Wg=; b=hrSVHVDSD91NC8AdrMQMd1hdovUiZsoNlX02Uz3Vt2LsIyVXH1tQyNeiaMdR/d6W8v rwFVwin60diAPRxqB/K49lOeHqTPRgS82jl/1+AshVhcSjvX/EnWT+5GJAc1QsIBfSRS POwXDrqZwBFh0J4p2gOgyOVC+GdefL6AvsXwv4Jprm/RBCK9mG6VdShkBiGyDueC2JFZ CRku5Pimv3M6p3ZqdQvxYl0kFwHMaUUHzU744Nbf5+0ah220uUIW5qkdE/Kj2+BMsjEt SXbwh4SWcOR62vLy33+ycT3vKtkLsN4z8V1sVJ9133PyftyTRdrX3MNaiBADt4cyMh6k uHWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:sender:subject:to:references:from:message-id :date:user-agent:mime-version:in-reply-to; bh=axTRso0TJPYaQxrdKLhxqchH22ZHhZX0e8cibH7v0Wg=; b=OJpS+VK1Upw4u60ndtgtPaMAbMnYHBkOtMlkOwiJUQwEiY6jpQaNdlDWmP7Yvs8kyw VYGk2nTr3ZT9OjijNY/UTIdDxvV3LQpFLAAQDvRKq1VWa0CpY8qsMkPuVFZ3sTpw/UXK PzmoB6D7/2cZhUYHb6MTeAkhCJeW+riiy8OYmnG4F4DpZfFpTaBFWp20nTzWuZm7OJAB vgsPxytiOg7D/6m45o5tHdLckqVPtHdvB+WhjvZ8de1t5qWHnPQCV1rcOmjtq3YEyVux 3NLpfIbta3xRn/J9TWB+Xk17hjgm3cRdv+c39DynrWX9f8RaB8d+J+A9me5qhc1PdG6t OVOQ==
X-Gm-Message-State: AD7BkJIy6efEKeaVV9iPp+nri/nQiam3l/V61heAc0vtA7cRxaOclYiXMYtniqI5SLPdPQ==
X-Received: by with SMTP id tw3mr24565696pac.89.1456772683555; Mon, 29 Feb 2016 11:04:43 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id l24sm39815224pfb.73.2016. for <> (version=TLSv1/SSLv3 cipher=OTHER); Mon, 29 Feb 2016 11:04:41 -0800 (PST)
Sender: Andrey <>
References: <>
From: Andrey Jivsov <>
Message-ID: <>
Date: Mon, 29 Feb 2016 11:04:38 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------020305020504090004050307"
Archived-At: <>
Subject: Re: [TLS] RSA-PSS in TLS 1.3
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 29 Feb 2016 19:04:49 -0000

On 02/29/2016 09:32 AM, Joseph Salowey wrote:
> We seem to have good consensus on moving to RSA-PSS and away from 
> PKCS-1.5 in TLS 1.3.  However, there is a problem that it may take 
> some hardware implementations some time to move to RSA-PSS.  After an 
> off list discussion with a few folks here is a proposal for moving 
> forward.
> We make RSA-PSS mandatory to implement (MUST implement instead of MUST 
> offer).   Clients can advertise support for PKCS-1.5 for backwards 
> compatibility in the transition period.
> Please respond on the list on whether you think this is a reasonable 
> way forward or not.

I think that supporting PKCS1.5 fallback is the right thing to do for 
faster adoption of TLS 1.3, as specified above.

PKCS #1.5 is allowed by in 
X.509 certificates. X.509 certificate chain is a part of TLS handshake. 
The above proposal is about not restricting one type of signature, the 
end-entity signature, to PSS. This applies to client authentication, 
server authentication, or both.

Without a generous advance warning about PKCS#1.5 removal by TLS 1.3, we 
have to deal with already deployed hardware. Had vendors and customers 
knew that TLS 1.3 will remove PKCS #1.5, we probably would have ended up 
with more PSS-friendly Internet. PKCS#1.5 is still fine for FIPS 140, 
Common Criteria, and in CA certificates in TLS 1.3.

The WG can chose to remove PSS from one type of signature in TLS1.3. The 
affected implementations will need to cap negotiation at TLS 1.2.

For more details: