Re: [TLS] PR to clarify RSASSA-PSS requirements
Nikos Mavrogiannopoulos <nmav@redhat.com> Wed, 22 November 2017 08:42 UTC
Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3598B128B44 for <tls@ietfa.amsl.com>; Wed, 22 Nov 2017 00:42:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YMjo6Dn9tES0 for <tls@ietfa.amsl.com>; Wed, 22 Nov 2017 00:42:08 -0800 (PST)
Received: from mail-wm0-f41.google.com (mail-wm0-f41.google.com [74.125.82.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14E9D1289C3 for <tls@ietf.org>; Wed, 22 Nov 2017 00:42:07 -0800 (PST)
Received: by mail-wm0-f41.google.com with SMTP id r68so8485637wmr.1 for <tls@ietf.org>; Wed, 22 Nov 2017 00:42:07 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=En/eCdQPCiv9N6is/nox2CmxdSnup6dzArXregQUbxQ=; b=l80iTiykOkK9ovXuIwdTmJn64ZPbh8n6vT9BdYzI1W5wwzB0BF/+7nvI+a0oGr87py C1tEJj1PUstsR8yQSi2SFPdkTqz+qgqWCI5htWpsHbHMQMxArZmM3ChHhdekb6E4m4yS /zuEqPCQ1htWakJvYwHTyeMi/Wo8JDXy9gSnemwPbeC1FmI5lIGhaEWzkXdjmTkw4Qk8 JYbPlkQ797DzQvz2gQnOAVAiXeQC5lJUzg1v9YoyakV6H99sMyCJJl+K56Tg/73pAeyt HvipYG29gDShRXwKMv6wJXPRDmYzowLL6IPXB7EBozs0YW6Urf/UmGcqAE+m7tX0Qt79 /qbA==
X-Gm-Message-State: AJaThX64KGNF4Oxs5yyjDWQ/9KjsjLtxRa0ecOyfMV0H+KZITnSvXAcs LvuTlBK12jYwS4xdqT0/QC9Mbg==
X-Google-Smtp-Source: AGs4zMYlZ0JJNWOi7MYq/iQMcHkCkBveaSqx5gJnYXDQBpp5Xv/Q0xfVwX+xKAx93DUDguV+WUwkjQ==
X-Received: by 10.80.201.77 with SMTP id p13mr1174658edh.33.1511340126045; Wed, 22 Nov 2017 00:42:06 -0800 (PST)
Received: from dhcp-10-40-1-102.brq.redhat.com (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id z10sm200182edm.68.2017.11.22.00.42.05 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 22 Nov 2017 00:42:05 -0800 (PST)
Message-ID: <1511340124.22935.27.camel@redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Peter Wu <peter@lekensteyn.nl>, tls@ietf.org
Date: Wed, 22 Nov 2017 09:42:04 +0100
In-Reply-To: <20171122035404.GC18321@al>
References: <20171122035404.GC18321@al>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.24.6 (3.24.6-1.fc26)
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/L9voZFWWqCJtYASYuGLZr9LU9Z4>
Subject: Re: [TLS] PR to clarify RSASSA-PSS requirements
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Nov 2017 08:42:10 -0000
On Wed, 2017-11-22 at 03:54 +0000, Peter Wu wrote: > Hi, > > At the moment there is still ambiguity in the requirements for PSS > with > relation to certificates. Proposal to clarify this: > https://github.com/tlswg/tls13-spec/pull/1098 > > > This PR intends to clarify the requirements for PSS support. Hi, I commented on the PR, but to provide more context. I believe RSA-PSS keys without parameters MUST be supported under TLS1.3. The reason is that keys explicitly marked as RSA-PSS cannot be used for RSA PKCS#1 1.5 encryption, and thus they provide a way for the server to know that it must protect that key against (cross-protocol) attacks which utilize RSA ciphersuites under TLS1.2. On why you don't want mixing keys for TLS1.3 and TLS1.2 RSA ciphersuites, see all the bleichenbacher attack reiterations over the years. So what about distinguishing the RSA-PSS keys with and without parameters: "an RSASSA-PSS public key (OID id-RSASSA-PSS) without parameters MUST be supported, while an RSASSA-PSS public key (OID id-RSASSA-PSS) with parameters MAY be supported`." regards, Nikos
- [TLS] PR to clarify RSASSA-PSS requirements Peter Wu
- Re: [TLS] PR to clarify RSASSA-PSS requirements Eric Rescorla
- Re: [TLS] PR to clarify RSASSA-PSS requirements Nikos Mavrogiannopoulos
- Re: [TLS] PR to clarify RSASSA-PSS requirements Peter Wu
- Re: [TLS] PR to clarify RSASSA-PSS requirements Peter Wu
- Re: [TLS] PR to clarify RSASSA-PSS requirements Nikos Mavrogiannopoulos
- Re: [TLS] PR to clarify RSASSA-PSS requirements Hubert Kario
- Re: [TLS] PR to clarify RSASSA-PSS requirements Ilari Liusvaara
- Re: [TLS] PR to clarify RSASSA-PSS requirements Peter Wu