Re: [TLS] PSS for TLS 1.3
Hanno Böck <hanno@hboeck.de> Mon, 23 March 2015 10:22 UTC
Return-Path: <hanno@hboeck.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2E121A702A for <tls@ietfa.amsl.com>; Mon, 23 Mar 2015 03:22:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MANGLED_BACK=2.3, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A_Z_Ipjq9d9j for <tls@ietfa.amsl.com>; Mon, 23 Mar 2015 03:22:29 -0700 (PDT)
Received: from zucker.schokokeks.org (zucker.schokokeks.org [178.63.68.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D7EE1A7020 for <tls@ietf.org>; Mon, 23 Mar 2015 03:22:29 -0700 (PDT)
Received: from pc1.fritz.box (x4d0c2a73.dyn.telefonica.de [::ffff:77.12.42.115]) (AUTH: LOGIN hanno-default@schokokeks.org, TLS: TLSv1/SSLv3, 128bits, ECDHE-RSA-AES128-GCM-SHA256) by zucker.schokokeks.org with ESMTPSA; Mon, 23 Mar 2015 11:22:25 +0100 id 0000000000000061.00000000550FE961.00006789
Date: Mon, 23 Mar 2015 11:22:32 +0100
From: Hanno Böck <hanno@hboeck.de>
To: tls@ietf.org
Message-ID: <20150323112232.5964828b@pc1.fritz.box>
In-Reply-To: <CABcZeBOeoyggJfma8rvyeRrh6Dw+oSp5P-oUG0MR3ZprBOyUPQ@mail.gmail.com>
References: <CABcZeBOeoyggJfma8rvyeRrh6Dw+oSp5P-oUG0MR3ZprBOyUPQ@mail.gmail.com>
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.27; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=_zucker.schokokeks.org-26505-1427106145-0001-2"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/NkgO5AbdmmPHjTlnkjxNvnU1GvY>
Subject: Re: [TLS] PSS for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2015 10:22:32 -0000
I'm glad this comes up. I wanted to push for it again, but didn't find the time lately. On Sun, 22 Mar 2015 15:09:31 -0700 Eric Rescorla <ekr@rtfm.com> wrote: > 2. Adopt PSS as the only signature format for non-certificate > signatures (but require acceptance of PKCS#1 1.5 for > certificates) +1 I think this totally makes sense. I think we should see Signatures for PKI separately that for TLS (i.e. signing certificates versus signing handshakes). Pushing PKI to support PSS can be done separately, but it is probably much more difficult due to backwards compatibility issues. But it doesn't need to happen inside the TLS 1.3 specification. (and the tech / spec for doing so is already available) I have some ideas how this should be done though. The PSS spec currently allows a wide range of flexibility. It is for example in theory possible to use two different hash functions within the same signature (there's a hash and an mgf that's based on a hash). I think it would make implementations much easier if the spec defined a pre-defined set of sane parameters and doesn't allow the full flexibility of PSS. Also - which seems obvious - the use of insecure parameters (sha1, I'm looking at you) should be forbidden completely. (and if this helps: I wrote my diploma thesis on pss a few years ago and the nss implementation was originally written by me. I think I have a pretty good idea about the issues surrounding PSS, if anyone feels they have any questions I'm glad to try to answer them.) -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@hboeck.de GPG: BBB51E42
- [TLS] PSS for TLS 1.3 Eric Rescorla
- Re: [TLS] PSS for TLS 1.3 Brian Smith
- Re: [TLS] PSS for TLS 1.3 Eric Rescorla
- Re: [TLS] PSS for TLS 1.3 Peter Bowen
- Re: [TLS] PSS for TLS 1.3 Hanno Böck
- Re: [TLS] PSS for TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] PSS for TLS 1.3 Eric Rescorla
- Re: [TLS] PSS for TLS 1.3 Salz, Rich
- Re: [TLS] PSS for TLS 1.3 Russ Housley
- Re: [TLS] PSS for TLS 1.3 Russ Housley
- Re: [TLS] PSS for TLS 1.3 Paterson, Kenny
- Re: [TLS] PSS for TLS 1.3 Ilari Liusvaara
- Re: [TLS] PSS for TLS 1.3 Martin Rex
- Re: [TLS] PSS for TLS 1.3 Ilari Liusvaara
- Re: [TLS] PSS for TLS 1.3 Russ Housley