Re: [TLS] PSS for TLS 1.3

Brian Smith <> Mon, 23 March 2015 01:53 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 8339F1A8761 for <>; Sun, 22 Mar 2015 18:53:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IbnJbOXo1Z17 for <>; Sun, 22 Mar 2015 18:53:40 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C86F31A875E for <>; Sun, 22 Mar 2015 18:53:40 -0700 (PDT)
Received: by oiag65 with SMTP id g65so129735689oia.2 for <>; Sun, 22 Mar 2015 18:53:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=CVdfVslWNQRrCxHl7YP5KHP1nnkRxT6Az/ION12ABxw=; b=gLgHCM20xB+Hkc+FsxyPeZ1G7FD1HiZauaLrgUWWB1tLSdUMXCXgO1uhOxeO+DN3Qk SPvrWxGh72f7btJQJCwMzweVv++bNkUId0w+9xSV+nY02rCmlF6fqJHxsoe1QuiOIRbR 29kP39RvqRARjuapnKcKx+cR6v/4tQ7/YGLvWv58VlL8uDJo1dVLBqlvSDDOXkWGFptX ORyAE7D6gNA3Z7oW6zFwZwNGj9yhc5WsyS6TolHE06fTfZIxQG38wq2FDdExk6uS2zje uUF2Q4cl1cKi2fIMMXQ7PzoW7aZD4tB2+bKNMpi6MMKMAyMn0OrCSse8GHtq97BP3fh+ l1sg==
X-Gm-Message-State: ALoCoQlMYPF7trtyB2DiiLNRhaoBJYlQRNrR2cAjY74/kaan6MGFQrgp5xEswGwTPQi5b8tcd69E
MIME-Version: 1.0
X-Received: by with SMTP id e10mr15381045oey.85.1427075620216; Sun, 22 Mar 2015 18:53:40 -0700 (PDT)
Received: by with HTTP; Sun, 22 Mar 2015 18:53:40 -0700 (PDT)
In-Reply-To: <>
References: <>
Date: Sun, 22 Mar 2015 15:53:40 -1000
Message-ID: <>
From: Brian Smith <>
To: Eric Rescorla <>
Content-Type: text/plain; charset=UTF-8
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] PSS for TLS 1.3
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 23 Mar 2015 01:53:42 -0000

Eric Rescorla <> wrote:
> Obviously, if we want to move to PSS, option #2 is simplest, but
> the sentiment at the interim was to survey the WG to see whether
> there was widespread enough support for generating and verifying
> PSS to make this feasible [0].

PSS with which parameters?

My suggestion is that, if PSS is used, (SHA-256, MGF-SHA-256, 32-byte
salt) should be used with the SHA-256-based PRF and that (SHA-384,
MGF-SHA-384, 48-byte salt) should be used with the SHA-384-based PRFs.

[1] notes that there is a security advantage to using the same digest
function for the MGF as was used for digesting the signed data. It
would be a mistake to mandate support for MGF-SHA-1 in PSS signatures
in TLS 1.3, because a TLS 1.3 implementation shouldn't be need to
implement SHA-1 at all.

Some implementations are hard-coded to support only MGF-SHA-1 and 20
byte salts. It is better to require those implementations to be
updated than to require all implementations to implement SHA-1 just
for the MGF.