Re: [TLS] PSS and TLS 1.3
Adam Langley <agl@imperialviolet.org> Fri, 20 January 2017 20:37 UTC
Return-Path: <alangley@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D15BC129452 for <tls@ietfa.amsl.com>; Fri, 20 Jan 2017 12:37:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4mk-xi0m7rdQ for <tls@ietfa.amsl.com>; Fri, 20 Jan 2017 12:37:10 -0800 (PST)
Received: from mail-io0-x242.google.com (mail-io0-x242.google.com [IPv6:2607:f8b0:4001:c06::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D47C2129454 for <tls@ietf.org>; Fri, 20 Jan 2017 12:37:09 -0800 (PST)
Received: by mail-io0-x242.google.com with SMTP id c80so9200204iod.1 for <tls@ietf.org>; Fri, 20 Jan 2017 12:37:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=EFAoVaR38Uftn0DJS0KzqVqvhR4Hp5bQrL09+83f6Vw=; b=mncZvqzLwh56JYrJuFtHXvnbqdaTCZx7KlgTguBlICgbBW9dSADCbYnGbFFujZkjOa cWNv5HZX4DSsxiI179Zjk256BpsvTsT7FAVHoWuC2Gz6Z9Bb7xHrWqXGWPa6XacQG514 jrq45bgtRI+q+Y3AdXNNcce94GmhFJ/REfKz9pLrFRfQQCDcxGWjwkqzwoQ11bWJCrBb N3wgoum4dyY4JvZMqDlBxvM636JhyOiIObnKxhAee7dnkXaVUX89g6lYygakniGA/8/P FLb+cHPMw5YNrGJjeT+COMwkPbsfcqrF3FHTTjcTPLvMKrCUbJLLcKSZ9RPC/VO9YUCg 7EHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=EFAoVaR38Uftn0DJS0KzqVqvhR4Hp5bQrL09+83f6Vw=; b=JrTZpp/+tIN8iLF+PL+fH3j4+0BVr+bc1BwBHYp/1HNk0hVX3ZF6Ili7dcgnhr6xzg CzEJIo2NOTu5Ozt30Nu/SR5IEqFxfAjMuQMjN194PLplXR5h9Z9DHyuN/DQnVhBPeZ6k uoFTYnSeZ7ocbNNkttmeoOWXWNzGu/osEvL8pUD5A3K6ceU+SRScke7mQjq3mgat95P1 k+B9AeJ8BlVdiwxNXc2ieZtzz+i3+KrSHut+zLrO8r6hSZt6krFSZNqfKGezsPFdsS9d z8ywEj8mw7vt2zMSf3xmk3EMQeTugsEZQsYXZb3LH7INefhe+PyCrOL29CW0Wwkitd1X XyDA==
X-Gm-Message-State: AIkVDXIkk/+/gf1lP4CQsTxh1+r+w20ULgKW0BsGxQnkWmLJKMvnKsp8Lzet7tHkrzFakz5YiDhbqjW7CuBE+g==
X-Received: by 10.107.134.36 with SMTP id i36mr14899947iod.168.1484944629197; Fri, 20 Jan 2017 12:37:09 -0800 (PST)
MIME-Version: 1.0
Sender: alangley@gmail.com
Received: by 10.36.144.4 with HTTP; Fri, 20 Jan 2017 12:37:08 -0800 (PST)
In-Reply-To: <CAFewVt6aDpmzZYrdPikmhQ8hpz14pxu68oiqO7CZcqEVjcMRUg@mail.gmail.com>
References: <e993599c-f69d-2db3-f3f3-f40caf810bd6@drh-consultancy.co.uk> <20170120181455.GA30791@LK-Perkele-V2.elisa-laajakaista.fi> <CAFewVt6aDpmzZYrdPikmhQ8hpz14pxu68oiqO7CZcqEVjcMRUg@mail.gmail.com>
From: Adam Langley <agl@imperialviolet.org>
Date: Fri, 20 Jan 2017 12:37:08 -0800
X-Google-Sender-Auth: 66Ih6An38I2HnYlesp9DHgckthE
Message-ID: <CAMfhd9WcRKMHoWyqsPxn0TNhnAN_rCjaPQY2BBBZAgkH2GjKzw@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Ak2ncNUBWMU-Y1B_I9m3wkV0o0A>
Cc: "tls@ietf.org list" <tls@ietf.org>
Subject: Re: [TLS] PSS and TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jan 2017 20:37:13 -0000
On Fri, Jan 20, 2017 at 11:29 AM, Brian Smith <brian@briansmith.org> wrote: > RSA PSS with a zero-length salt is a deterministic, > subliminal-channel-free signature scheme. It is one of the few > signature schemes that structurally prevent an HSM from directly > leaking (parts of) the private key in an undetectable way. Brian's disowned recommendation in the TLS 1.3 draft matches what I suggest for PSS signatures: * Salt length is the length of the hash function. * MGF1 hash function is the same as the message hash function. * The trailer field has the default value. (I like Brian's idea, but I hate options, so I'm torn here.) Certificates that don't match that format are at risk of not working in Google products because we hate excessive options. (We'll see, practically speaking, much we have to bend on that point, as always) Cheers AGL
- [TLS] PSS and TLS 1.3 Dr Stephen Henson
- Re: [TLS] PSS and TLS 1.3 Ilari Liusvaara
- Re: [TLS] PSS and TLS 1.3 Brian Smith
- Re: [TLS] PSS and TLS 1.3 Adam Langley
- Re: [TLS] PSS and TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] PSS and TLS 1.3 Ilari Liusvaara
- Re: [TLS] PSS and TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] PSS and TLS 1.3 Martin Thomson
- Re: [TLS] PSS and TLS 1.3 Peter Gutmann
- Re: [TLS] PSS and TLS 1.3 Yoav Nir
- Re: [TLS] PSS and TLS 1.3 Ilari Liusvaara
- Re: [TLS] PSS and TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] PSS and TLS 1.3 Ilari Liusvaara