Re: [TLS] RSA-PSS in TLS 1.3

Yoav Nir <ynir.ietf@gmail.com> Mon, 29 February 2016 18:53 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FD561B39E9 for <tls@ietfa.amsl.com>; Mon, 29 Feb 2016 10:53:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.6
X-Spam-Level:
X-Spam-Status: No, score=0.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MANGLED_BACK=2.3, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1lVwxbQk-S99 for <tls@ietfa.amsl.com>; Mon, 29 Feb 2016 10:53:38 -0800 (PST)
Received: from mail-wm0-x231.google.com (mail-wm0-x231.google.com [IPv6:2a00:1450:400c:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8D541B39C8 for <tls@ietf.org>; Mon, 29 Feb 2016 10:53:37 -0800 (PST)
Received: by mail-wm0-x231.google.com with SMTP id n186so2793038wmn.1 for <tls@ietf.org>; Mon, 29 Feb 2016 10:53:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:from:in-reply-to:date:cc:message-id:references :to; bh=NPfxJsuvWO2Ua7f4+RnFLTZeLfbZbempq5JNe1292CQ=; b=qwWlq6vweKKVTZCTE78guhsOM4csdDkc8bisBgMlg9Jh5JjqQZ5Q6PkaiQd9CwGQdG 4R1mU0xc1Fqzu5EOiG9IeyAWW6AzpilMCKiSRkDNFDs8h2ttw09/R4O7DtKLxkqUMpCG zSpmSzRVGEg1lt6mH+7GlKq3bSsKhH6FZLoQChuNTJGkckygNcxMOFU3LurXuFMtRiwc pOU3XYzQjih40Og86k8YAfFHc9R65NfYz/DEzlgf94XmiAJ70UWsvyz+SvFbtKeoSLhC xzWPTjgPHCOf2HinGrerBAOdD6MBa2/OG2zmR1nlM2/cxJspBfUGpGpZ/ikejRPUrQtB CwZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :message-id:references:to; bh=NPfxJsuvWO2Ua7f4+RnFLTZeLfbZbempq5JNe1292CQ=; b=eJJrL37hYwoHofllPQFBTQq6qfs3EqVPrh6K2vkMhBKpeywqwyz3uxWUorFokG72w2 k89NMFCVafLNAESZvU0+2gzUHeckfFCj2ILtu1vfM8i8B19iVareUWIeuqNppLwpJa8/ auEVtcNHf2BRDk3aHCxbF5vDCavgYDumkTwarvaxKx2DzQsSxR/a+RG4p11f+vnG88tp M0XHkgNJv7dEABAMYP9cg1j43A9s3up9UOPgDunOpVs88L5C5F8fiOEykpqcz2LE1uLE T5mYzW7ira6thsQuTMJIwhMapfbMue8HtmQUC3RAmgiHdJUPpx6IuEnw+rfbkOtBfNE7 WvmA==
X-Gm-Message-State: AD7BkJKS0vY3ELwuZA+U3XGNNzaLodrfb7yobtEV2SHLgpp4NnN0BzJYAGHsybXMjqZfrw==
X-Received: by 10.194.184.234 with SMTP id ex10mr15643534wjc.8.1456772016470; Mon, 29 Feb 2016 10:53:36 -0800 (PST)
Received: from [192.168.1.13] ([46.120.13.132]) by smtp.gmail.com with ESMTPSA id 74sm17758519wmn.17.2016.02.29.10.53.35 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 29 Feb 2016 10:53:35 -0800 (PST)
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
Content-Type: multipart/signed; boundary="Apple-Mail=_1698864B-30BF-4FB0-9CD0-EE54A7D68B28"; protocol="application/pgp-signature"; micalg=pgp-sha256
X-Pgp-Agent: GPGMail 2.6b2
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <20160229190021.59516808@pc1>
Date: Mon, 29 Feb 2016 20:53:33 +0200
Message-Id: <88D3CE68-E034-4433-8EA2-B09AC8801E6B@gmail.com>
References: <CAOgPGoD=AAFDUXN8VkOHwTMEUm+-qi548NsicoD=1yQKSu-sng@mail.gmail.com> <20160229190021.59516808@pc1>
To: =?utf-8?Q?Hanno_B=C3=B6ck?= <hanno@hboeck.de>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/EDXcuDWCt_2IFYjRbOc2Y1LpnYo>
Cc: tls@ietf.org
Subject: Re: [TLS] RSA-PSS in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Feb 2016 18:53:39 -0000

> On 29 Feb 2016, at 8:00 PM, Hanno Böck <hanno@hboeck.de> wrote:
> 
> On Mon, 29 Feb 2016 09:32:04 -0800
> Joseph Salowey <joe@salowey.net> wrote:
> 
>> We make RSA-PSS mandatory to implement (MUST implement instead of MUST
>> offer).   Clients can advertise support for PKCS-1.5 for backwards
>> compatibility in the transition period.
>> Please respond on the list on whether you think this is a reasonable
>> way forward or not.
> 
> I recently already saw the message here asking for PKCS #1 1.5
> compatibilty and was quite angry about it, but as there wasn't much
> discussion I thought this issue would go away. It seems it did not.
> 
> RSA-PSS was specified as RFC 3447 in 2003. That was 13 years ago.
> 
> Therefore we can conclude:
> * Whoever created that hardware implementation either did so more than
>  13 years ago (probably unlikely) or deliberately created hardware
>  crypto with sub-standard algorithm support.
> * This can mean a couple of things:
> a) The hardware vendor knew about it and expected that they could
> prevent a move to RSA-PSS by lobbying standardization bodies (this is
> what they seem to do right now). In this case they deliberately want to
> weaken security and that behavior should not be encouraged.
> b) They didn't know about RFC 3447. That probably means they shouldn't
> develop crypto products at all.
> c) Something else?

Yeah, such as all of their customers are using PKCS#1 because that is what everybody uses in all current versions of TLS and several other protocols?

Regardless, hardware vendors should rejoice. We’re giving their customers a good reason to buy new hardware.

Yoav