Re: [TLS] RSA-PSS in TLS 1.3

Hanno Böck <hanno@hboeck.de> Mon, 29 February 2016 22:36 UTC

Return-Path: <hanno@hboeck.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 159C51A8A44 for <tls@ietfa.amsl.com>; Mon, 29 Feb 2016 14:36:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MANGLED_BACK=2.3, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lRmQiaf_NvuQ for <tls@ietfa.amsl.com>; Mon, 29 Feb 2016 14:36:20 -0800 (PST)
Received: from zucker.schokokeks.org (zucker.schokokeks.org [178.63.68.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 237131B3E3D for <tls@ietf.org>; Mon, 29 Feb 2016 14:36:19 -0800 (PST)
Received: from pc1 (0x3ec7a9e1.inet.dsl.telianet.dk [::ffff:62.199.169.225]) (AUTH: LOGIN hanno-default@schokokeks.org, TLS: TLSv1/SSLv3, 128bits, ECDHE-RSA-AES128-GCM-SHA256) by zucker.schokokeks.org with ESMTPSA; Mon, 29 Feb 2016 23:36:18 +0100 id 0000000000000039.0000000056D4C7E2.0000283B
Date: Mon, 29 Feb 2016 23:36:17 +0100
From: Hanno =?UTF-8?B?QsO2Y2s=?= <hanno@hboeck.de>
To: tls@ietf.org
Message-ID: <20160229233617.5466ebd3@pc1>
In-Reply-To: <56D4ABAD.90902@brainhub.org>
References: <CAOgPGoD=AAFDUXN8VkOHwTMEUm+-qi548NsicoD=1yQKSu-sng@mail.gmail.com> <56D4ABAD.90902@brainhub.org>
X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="=_zucker.schokokeks.org-10299-1456785378-0001-2"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/LOsVp6G1_W5b-aPCp6bKxoM2O2o>
Subject: Re: [TLS] RSA-PSS in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Feb 2016 22:36:22 -0000

On Mon, 29 Feb 2016 12:35:57 -0800
Andrey Jivsov <crypto@brainhub.org> wrote:

> Without a generous advance warning about PKCS#1.5 removal by TLS 1.3,
> we have to deal with already deployed hardware. Had vendors and
> customers knew that TLS 1.3 will remove PKCS #1.5, we probably would
> have ended up with more PSS-friendly Internet.

Ok, look, I really would like to understand what you're trying to say
here.

What would such a warning look like? We have an RFC for PSS since 2003.
We had several attacks showing the weakness of PKCS #1 1.5. Wasn't that
warning enough? If not, how would such a warning look like? I'd really
like to know, because we will have similar situations in the future
and I'd like to avoid people lobbying in the background to continue
supporting weak crypto.

There will be some new TLS version some day and we will try to get
better algorithms into it. So how do we warn you next time?

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42