Re: [TLS] PSS and TLS 1.3
Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 20 January 2017 18:15 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 484CD129694 for <tls@ietfa.amsl.com>; Fri, 20 Jan 2017 10:15:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.099
X-Spam-Level:
X-Spam-Status: No, score=-5.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-3.199] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id srADCBbupmgk for <tls@ietfa.amsl.com>; Fri, 20 Jan 2017 10:15:00 -0800 (PST)
Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) by ietfa.amsl.com (Postfix) with ESMTP id 28A5B12943D for <tls@ietf.org>; Fri, 20 Jan 2017 10:14:59 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id 363081A682; Fri, 20 Jan 2017 20:14:58 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id uHAcYx7pvLfX; Fri, 20 Jan 2017 20:14:56 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 987F62310; Fri, 20 Jan 2017 20:14:56 +0200 (EET)
Date: Fri, 20 Jan 2017 20:14:55 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Dr Stephen Henson <lists@drh-consultancy.co.uk>
Message-ID: <20170120181455.GA30791@LK-Perkele-V2.elisa-laajakaista.fi>
References: <e993599c-f69d-2db3-f3f3-f40caf810bd6@drh-consultancy.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <e993599c-f69d-2db3-f3f3-f40caf810bd6@drh-consultancy.co.uk>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/H7YzZeQX-CirE6SaQVYEOljKRv0>
Cc: "tls@ietf.org list" <tls@ietf.org>
Subject: Re: [TLS] PSS and TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jan 2017 18:15:02 -0000
On Fri, Jan 20, 2017 at 05:43:21PM +0000, Dr Stephen Henson wrote: > Draft 18 says: > > RSASSA-PSS algorithms Indicates a signature algorithm using RSASSA- > PSS [RFC3447] with MGF1. The digest used in the mask generation > function and the digest being signed are both the corresponding > hash algorithm as defined in [SHS]. When used in signed TLS > handshake messages, the length of the salt MUST be equal to the > length of the digest output. This codepoint is defined for use > with TLS 1.2 as well as TLS 1.3. > > What are the requirements for certificates when these RSSSA-PSS is used? AFAIK, no special requirements. > The text above indicates the salt length for TLS messages. There are no > restrictions placed on certificate signature salt lengths. Does this mean that > any valid salt length (from 0 to the maximum permitted) must be supported? Well, the code I have written enforces the salt length restriction also on any possible RSA-PSS certificates in chain. This comes from not even having RSA-PSS validation code that could deal with arbitrary salt length. > Additionally PSS signatures (see RFC4055) can be used with RSA keys > (rsaEncryption OID) and RSA-PSS only keys (id-RSASSA-PSS OID). Does the > RSASSA-PSS mean that both types must be accepted? I don't think you will see the latter outside some test sites for a while... But hmm, I think I should implement RSA-PSS only keys in some of my stuff... -Ilari
- [TLS] PSS and TLS 1.3 Dr Stephen Henson
- Re: [TLS] PSS and TLS 1.3 Ilari Liusvaara
- Re: [TLS] PSS and TLS 1.3 Brian Smith
- Re: [TLS] PSS and TLS 1.3 Adam Langley
- Re: [TLS] PSS and TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] PSS and TLS 1.3 Ilari Liusvaara
- Re: [TLS] PSS and TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] PSS and TLS 1.3 Martin Thomson
- Re: [TLS] PSS and TLS 1.3 Peter Gutmann
- Re: [TLS] PSS and TLS 1.3 Yoav Nir
- Re: [TLS] PSS and TLS 1.3 Ilari Liusvaara
- Re: [TLS] PSS and TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] PSS and TLS 1.3 Ilari Liusvaara