Re: [TLS] Drafts for batch signing and PKCS#1 v1.5

Ben Schwartz <> Wed, 31 July 2019 03:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CDE0C12008A for <>; Tue, 30 Jul 2019 20:54:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -17.5
X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ihaK5cjnrSnZ for <>; Tue, 30 Jul 2019 20:54:44 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::d35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 65D7412002E for <>; Tue, 30 Jul 2019 20:54:44 -0700 (PDT)
Received: by with SMTP id m24so133255474ioo.2 for <>; Tue, 30 Jul 2019 20:54:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WuqyGS8+ab6dorTAhUW8EHs8lwJvRUv+lCCekE/38GY=; b=ARZ17mFW0A8TrBA8ABMJ5HHElbgbEShfhXrPOExi/lTtSTt01K28HxsWiL8mtfm9wI gWMkksTqXAh5uQxd/ktAjNL40t7/f7qluQuDBMw4Y2jiQSRmR/ZXww49gXPhqwI1t7kD u9mxk9LpRlkip9kurCcg5Z47GrNqexj82liYbw2X2YC4wQghB+A3k4RZzeZCkxI7UoX/ khccd8uy0vvIeroPKRiMdKX8Ui409R7eHBLsWzT/hWicTWmPIlXJHsD98Q/r3bV3zyns pSXmHKBas2ZVntHIhfCmhXOTRq3onSjg5HWFbKqlwVl3df8gFPaVFSDT/kASuEH3FFpk o56Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WuqyGS8+ab6dorTAhUW8EHs8lwJvRUv+lCCekE/38GY=; b=tM1dFCTk9xZeYeiyzFwnxIkjucX9gYZ+Tdsn6ig0D5dNpFUKJuWFlrCMoSw6PdWam7 PLSjM/64QqBTDW7Z4V6631gP7nQzygGPpbUADagowPRP4Qvvg81jXCcnULgianUfheQK ekm+ds4P4VhBnnZOsKJ43XSlCiNBWH/dEaFO3Zp/B+28WCN/gPyVDpl3UNEDUbYa/RBT u0EEf2sYVV09DeIPkWXAYr1xLJ8jxWjNdU68OAmRgK4t95sPtzW7DfX0oSeAqoHxQnaC uhAe6NmnkFUgkjXAcQ5miNSNGT3ZE/6KNTKXCFTBXiSKa1zeCw9IVhp2cBr5PJJdbSZc /X8A==
X-Gm-Message-State: APjAAAV5qsH9Y4YP0mf9Cs8hKLIshlHI8sZSyyeRDlfH0Y2aveY9h7lb c0ltzlxCbNdwljP+XzYqF3wjL2RCMeJ6J1tPvNG1Gw==
X-Google-Smtp-Source: APXvYqwHfkgqcnvfuOVR0WL5qwr2w1zfOvndXNENQuLr5L0FjRpVO21wMhMqpysIf95P9c+uuCk1ZDNB39C6W8uqwkY=
X-Received: by 2002:a6b:5a17:: with SMTP id o23mr3295324iob.41.1564545283273; Tue, 30 Jul 2019 20:54:43 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Ben Schwartz <>
Date: Tue, 30 Jul 2019 23:54:30 -0400
Message-ID: <>
To: David Benjamin <>
Cc: "<>" <>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000e0c6ac058ef21528"
Archived-At: <>
Subject: Re: [TLS] Drafts for batch signing and PKCS#1 v1.5
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 31 Jul 2019 03:54:47 -0000

The batch signing idea is very cool.  I'm not entirely sure I understand
the intended use case, though.  The intro suggests that this motivated by
DoS defense, but presumably an attacker who controls their own TLS client
stack could simply omit support for these signature schemes.  Do you
envision a future where servers can safely omit support for all the
non-batch signature schemes?  Or are you thinking of attackers who don't
control the TLS client stack?

Minor question: in the tree diagrams, m2 goes to t04.  Is there any reason
it couldn't go directly to t12?  That would seem more natural to me.

On Tue, Jul 30, 2019 at 3:09 PM David Benjamin <>

> Oops. draft-davidben-tls-batch-signing-00 cites
> draft-davidben-http2-tls13-00. That should be
> draft-davidben-tls13-pkcs1-00. (The XML file took a really long time to be
> created, so I manually tried to recreate it based on another file and
> forgot to update one of the fields..) I'll fix this in -01.
> On Mon, Jul 29, 2019 at 8:15 PM David Benjamin <>
> wrote:
>> Hi all,
>> I’ve just uploaded a pair of drafts relating to signatures in TLS 1.3.
>> The first introduces optional legacy codepoints for PKCS#1 v1.5
>> signatures with client certificates. This is unfortunate, but I think we
>> should do it. On the Chrome side, we’ve encountered some headaches with the
>> TLS 1.3 PSS requirement which are unique to client certificates. The
>> document describes the motivations in detail.
>> The second describes a batch signing mechanism for TLS using Merkle
>> trees. It allows TLS clients and servers to better handle signing load. I
>> think it could be beneficial for a number of DoS and remote key scenarios.
>> Thoughts?
>> David
> _______________________________________________
> TLS mailing list