Re: [TLS] RSA-PSS in TLS 1.3

Yoav Nir <ynir.ietf@gmail.com> Tue, 01 March 2016 11:35 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C42411A1B24 for <tls@ietfa.amsl.com>; Tue, 1 Mar 2016 03:35:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wy0Iiis7KJfw for <tls@ietfa.amsl.com>; Tue, 1 Mar 2016 03:35:31 -0800 (PST)
Received: from mail-wm0-x22a.google.com (mail-wm0-x22a.google.com [IPv6:2a00:1450:400c:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C59D61A1B1E for <tls@ietf.org>; Tue, 1 Mar 2016 03:35:30 -0800 (PST)
Received: by mail-wm0-x22a.google.com with SMTP id l68so31152631wml.0 for <tls@ietf.org>; Tue, 01 Mar 2016 03:35:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=aIh4+k+f9UodfCkMKXesweojuOFsDOMDIwJdL9JIBzM=; b=PqS3AnSGYBepCoyIMTCwlgEaPzcWsThJIBi+1yY6Pk1N9vC+lRoYAy/QVeoHknApZN tY3iYn0A4PpMR+gGqyYsjktyD9LaA0/QWAMOtmV3gHG2IL2mDv1f3QUSv2XxeBUKxHx9 MtmSXhbhZK9W1tb0CzZAO4sOMsLQhFL4AoJbHs02zYKnVt4h7Ed59R4FmRQLBdOQM6g1 wlaJiYORkx+RmlpR2eEMcrxIP7GcsJF20YLedHEc9dLIMWB+TjGEe5e5Fyvyzx4ZWlOC OTgFuc4Pz7dzcWSpyuStCH9psAWW5MJ7/Yb9ZQhXFnCtmNjFRVucJ9+VgOaUYjPenQtp YWmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=aIh4+k+f9UodfCkMKXesweojuOFsDOMDIwJdL9JIBzM=; b=K7lozoPOO87jvqR0aO4iMrKeDtjOwGTB8zH5ObmGcphj2VKu/8AIgT+vJEu6kf6NtE +VBaN39g+5+nKhhiPcbiOdQkv/bOpYyl+Z2A6wTQpm0Ad+3L81jLfzK7g4KvYnWT33g7 FJ+NfhKSNlA+FAdudeflZ0ug2sHTCLrR67gL9u03BRpnt/XCoKt9x0Df1qEArOrQNhem /zGFr2jeKBZeB/LxoTZQVJODCEwTg5qevXyX28nCEnFA66kgDJN+rYEsURLN2sVS3XUd bawKiLiLEa21fWUKW1dpixjtCahbl16viL9KXama7WIG5J1vAe6dYThwpq1Up2T68o11 wnsw==
X-Gm-Message-State: AD7BkJIYeSftagDdomSinItD5VkpjlS03bjd15H1NTofDWlZfv2tP1GNTL9mjburAi8H0w==
X-Received: by 10.194.63.242 with SMTP id j18mr23589259wjs.114.1456832129314; Tue, 01 Mar 2016 03:35:29 -0800 (PST)
Received: from [172.24.251.185] (dyn32-131.checkpoint.com. [194.29.32.131]) by smtp.gmail.com with ESMTPSA id w136sm20848622wmw.0.2016.03.01.03.35.28 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 01 Mar 2016 03:35:28 -0800 (PST)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <56D51FFB.9050909@brainhub.org>
Date: Tue, 1 Mar 2016 13:35:26 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <DE710794-CA42-48E1-9AB9-A2BE2899E071@gmail.com>
References: <CAOgPGoD=AAFDUXN8VkOHwTMEUm+-qi548NsicoD=1yQKSu-sng@mail.gmail.com> <56D4ABAD.90902@brainhub.org> <20160229233617.5466ebd3@pc1> <56D51FFB.9050909@brainhub.org>
To: Andrey Jivsov <crypto@brainhub.org>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/EIp4SAS83OPzA4h4ru4Clxy_bX4>
Cc: tls@ietf.org
Subject: Re: [TLS] RSA-PSS in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Mar 2016 11:35:32 -0000

> On 1 Mar 2016, at 6:52 AM, Andrey Jivsov <crypto@brainhub.org> wrote:
> 
> On 02/29/2016 02:36 PM, Hanno Böck wrote:
>> We have an RFC for PSS since 2003.
>> We had several attacks showing the weakness of PKCS #1 1.5.
> 
> In the face of such danger, what's your opinion on PKCS #1.5 signatures being perfectly fine in TLS 1.3 ? I refer to signatures in X.509 certs in the latest https://tools.ietf.org/html/draft-ietf-tls-tls13-11.
> 
> Why not ban PKCS #1.5 altogether from TLS 1.3? It will not only make TLS 1.3 more secure, but code simpler and footprint smaller. Besides, it's reasonable: TLS 1.2 already allows PSS in X.509

It would be cool to ban PKCS#1.5 from certificates, but we are not the PKIX working group. Nor are we the CA/Browser forum. When a CA issues a certificate it has to work with every client and server out there, When we use TLS 1.3, the other side supports TLS 1.3 as well, so it’s fair to assume that it knows PSS.

Yoav