Re: [TLS] Using RSA PSS in TLS

Hanno Böck <> Mon, 14 October 2013 08:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4C60321F9D2E for <>; Mon, 14 Oct 2013 01:49:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MANGLED_BACK=2.3, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RGjtgUYJxiPn for <>; Mon, 14 Oct 2013 01:49:42 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 50E1721F9DAA for <>; Mon, 14 Oct 2013 01:49:27 -0700 (PDT)
Received: from pc ( [::ffff:]) (AUTH: LOGIN, TLS: TLSv1/SSLv3, 128bits, AES128-GCM-SHA256) by with ESMTPSA; Mon, 14 Oct 2013 10:49:26 +0200 id 00000000000000E9.00000000525BB016.00006D56
Date: Mon, 14 Oct 2013 10:49:12 +0200
From: Hanno =?UTF-8?B?QsO2Y2s=?= <>
To: Johannes Merkle <>
Message-ID: <20131014104912.7b19bd93@pc>
In-Reply-To: <>
References: <>
X-Mailer: Claws Mail 3.9.2-dirty (GTK+ 2.24.21; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=PGP-SHA512; protocol="application/pgp-signature"; boundary=""
Cc: "<>" <>
Subject: Re: [TLS] Using RSA PSS in TLS
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Oct 2013 08:49:47 -0000

On Mon, 14 Oct 2013 10:39:25 +0200
Johannes Merkle <> wrote:

> While the current discussion on this list is about ECC, I would like
> to raise the question if it were not desirable to allow usage of
> provably secure RSA-PSS signatures from PKCS#1v2.1 in TLS.
> Of course, an issue with this idea is that, if we replace DHE_RSA and
> ECDHE_RSA with DHE_PSS and ECDHE_PSS, we end up with a whole bunch of
> new cipher suites. An alternative could be a new extension signaling
> the RSA version used (with PKCS#1v1.5 as default).

Why would you want to allow RSA in non-PSS-mode at all? And why on
earth would you want to make the less secure PKCS#1v1.5 the default?
There's simply zero advantage of PKCS#1v1.5 over PSS, except for legacy
compatibility. But as PKCS#1v2.1 is now out eleven years, we could just
start using it.

I'd say: Preferrably with the next TLS version RSA should simply be
switched to PSS.

Hanno Böck