Re: [TLS] Using RSA PSS in TLS
Hanno Böck <hanno@hboeck.de> Mon, 14 October 2013 08:49 UTC
Return-Path: <hanno@hboeck.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C60321F9D2E for <tls@ietfa.amsl.com>; Mon, 14 Oct 2013 01:49:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MANGLED_BACK=2.3, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RGjtgUYJxiPn for <tls@ietfa.amsl.com>; Mon, 14 Oct 2013 01:49:42 -0700 (PDT)
Received: from zucker.schokokeks.org (zucker.schokokeks.org [178.63.68.96]) by ietfa.amsl.com (Postfix) with ESMTP id 50E1721F9DAA for <tls@ietf.org>; Mon, 14 Oct 2013 01:49:27 -0700 (PDT)
Received: from pc (91-64-48-143-dynip.superkabel.de [::ffff:91.64.48.143]) (AUTH: LOGIN hanno-default@schokokeks.org, TLS: TLSv1/SSLv3, 128bits, AES128-GCM-SHA256) by zucker.schokokeks.org with ESMTPSA; Mon, 14 Oct 2013 10:49:26 +0200 id 00000000000000E9.00000000525BB016.00006D56
Date: Mon, 14 Oct 2013 10:49:12 +0200
From: Hanno Böck <hanno@hboeck.de>
To: Johannes Merkle <johannes.merkle@secunet.com>
Message-ID: <20131014104912.7b19bd93@pc>
In-Reply-To: <525BADBD.8020007@secunet.com>
References: <525BADBD.8020007@secunet.com>
X-Mailer: Claws Mail 3.9.2-dirty (GTK+ 2.24.21; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg="PGP-SHA512"; protocol="application/pgp-signature"; boundary="=_zucker.schokokeks.org-27990-1381740566-0001-2"
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Using RSA PSS in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Oct 2013 08:49:47 -0000
On Mon, 14 Oct 2013 10:39:25 +0200 Johannes Merkle <johannes.merkle@secunet.com> wrote: > While the current discussion on this list is about ECC, I would like > to raise the question if it were not desirable to allow usage of > provably secure RSA-PSS signatures from PKCS#1v2.1 in TLS. > > Of course, an issue with this idea is that, if we replace DHE_RSA and > ECDHE_RSA with DHE_PSS and ECDHE_PSS, we end up with a whole bunch of > new cipher suites. An alternative could be a new extension signaling > the RSA version used (with PKCS#1v1.5 as default). Why would you want to allow RSA in non-PSS-mode at all? And why on earth would you want to make the less secure PKCS#1v1.5 the default? There's simply zero advantage of PKCS#1v1.5 over PSS, except for legacy compatibility. But as PKCS#1v2.1 is now out eleven years, we could just start using it. I'd say: Preferrably with the next TLS version RSA should simply be switched to PSS. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@hboeck.de GPG: BBB51E42
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Peter Gutmann
- Re: [TLS] Using RSA PSS in TLS Santosh Chokhani
- [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Hanno Böck
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Peter Gutmann
- Re: [TLS] Using RSA PSS in TLS Santosh Chokhani
- Re: [TLS] Using RSA PSS in TLS Santosh Chokhani
- Re: [TLS] Using RSA PSS in TLS Rob Stradling
- Re: [TLS] Using RSA PSS in TLS Martin Rex
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Florian Weimer
- Re: [TLS] Using RSA PSS in TLS CodesInChaos
- Re: [TLS] Using RSA PSS in TLS Fedor Brunner
- Re: [TLS] Using RSA PSS in TLS Hanno Böck
- Re: [TLS] Using RSA PSS in TLS Hanno Böck
- Re: [TLS] Using RSA PSS in TLS Martin Rex
- Re: [TLS] Using RSA PSS in TLS Geoffrey Keating
- Re: [TLS] Using RSA PSS in TLS Watson Ladd
- Re: [TLS] Using RSA PSS in TLS Johannes Merkle
- Re: [TLS] Using RSA PSS in TLS Manuel Pégourié-Gonnard
- Re: [TLS] Using RSA PSS in TLS Peter Gutmann
- Re: [TLS] Using RSA PSS in TLS Peter Gutmann
- Re: [TLS] Using RSA PSS in TLS Martin Rex
- Re: [TLS] Using RSA PSS in TLS Peter Gutmann