Re: [TLS] PSS for TLS 1.3
Nikos Mavrogiannopoulos <nmav@redhat.com> Mon, 23 March 2015 10:47 UTC
Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 363501A870B for <tls@ietfa.amsl.com>; Mon, 23 Mar 2015 03:47:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LM6iWR0q61RY for <tls@ietfa.amsl.com>; Mon, 23 Mar 2015 03:47:27 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2CEC1A8737 for <tls@ietf.org>; Mon, 23 Mar 2015 03:47:24 -0700 (PDT)
Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t2NAlOcQ013518 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 23 Mar 2015 06:47:24 -0400
Received: from dhcp-2-127.brq.redhat.com (dhcp-2-127.brq.redhat.com [10.34.2.127]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t2NAlMh0028701 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Mon, 23 Mar 2015 06:47:23 -0400
Message-ID: <1427107642.19595.19.camel@redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 23 Mar 2015 11:47:22 +0100
In-Reply-To: <CABcZeBOeoyggJfma8rvyeRrh6Dw+oSp5P-oUG0MR3ZprBOyUPQ@mail.gmail.com>
References: <CABcZeBOeoyggJfma8rvyeRrh6Dw+oSp5P-oUG0MR3ZprBOyUPQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Ib1Jj-exgx2-wa37Q3j9m_I_jM0>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] PSS for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2015 10:47:29 -0000
On Sun, 2015-03-22 at 15:09 -0700, Eric Rescorla wrote: > During the interim we discussed discussion about adopting PSS for > RSA signatures in TLS 1.3. > Clearly, we will not be able to just adopt PSS because certificates > will continue to be signed with PKCS#1 1.5. However, we could adopt > PSS for signatures outside of the certificate context. Roughly > speaking, we have three options: > 1. Do not adopt PSS. > 2. Adopt PSS as the only signature format for non-certificate > signatures (but require acceptance of PKCS#1 1.5 for > certificates) > 3. Negotiate the use of PSS versus PKCS#1 1.5 Does (3) imply the usage of signatureAlgorithms to negotiate? I guess that's the more natural approach, as a client could support both RSA and PSS_RSA at the same time. However, that is complicated by the fact that new ciphersuites are needed to use RSA_PSS on the end certificates. That's because the ciphersuite name contains the type of the certificate of the peer. I have argued about abolishing that [0]. Overall, I'm not sure how useful is a connection with PSS signature in the handshake, but with a PKCS #1 1.5 signature in the certificate. However, that looks like the only path to deprecate PKCS #1 1.5 and move to PSS (if the WG thinks it's worth it). regards, Nikos [0]. https://github.com/tlswg/tls13-spec/issues/98
- [TLS] PSS for TLS 1.3 Eric Rescorla
- Re: [TLS] PSS for TLS 1.3 Brian Smith
- Re: [TLS] PSS for TLS 1.3 Eric Rescorla
- Re: [TLS] PSS for TLS 1.3 Peter Bowen
- Re: [TLS] PSS for TLS 1.3 Hanno Böck
- Re: [TLS] PSS for TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] PSS for TLS 1.3 Eric Rescorla
- Re: [TLS] PSS for TLS 1.3 Salz, Rich
- Re: [TLS] PSS for TLS 1.3 Russ Housley
- Re: [TLS] PSS for TLS 1.3 Russ Housley
- Re: [TLS] PSS for TLS 1.3 Paterson, Kenny
- Re: [TLS] PSS for TLS 1.3 Ilari Liusvaara
- Re: [TLS] PSS for TLS 1.3 Martin Rex
- Re: [TLS] PSS for TLS 1.3 Ilari Liusvaara
- Re: [TLS] PSS for TLS 1.3 Russ Housley