Re: [TLS] RSASSA-PSS in certificates and "signature_algorithms"
Dr Stephen Henson <lists@drh-consultancy.co.uk> Tue, 12 September 2017 13:41 UTC
Return-Path: <lists@drh-consultancy.co.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50A34132D22 for <tls@ietfa.amsl.com>; Tue, 12 Sep 2017 06:41:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.711
X-Spam-Level:
X-Spam-Status: No, score=-0.711 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, T_HK_NAME_DR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Myc2_vOlmLzj for <tls@ietfa.amsl.com>; Tue, 12 Sep 2017 06:41:20 -0700 (PDT)
Received: from claranet-outbound-smtp04.uk.clara.net (claranet-outbound-smtp04.uk.clara.net [195.8.89.37]) by ietfa.amsl.com (Postfix) with ESMTP id 277C91321C7 for <tls@ietf.org>; Tue, 12 Sep 2017 06:41:19 -0700 (PDT)
Received: from host86-132-183-251.range86-132.btcentralplus.com ([86.132.183.251]:14786 helo=[192.168.1.78]) by relay04.mail.eu.clara.net (relay.clara.net [81.171.239.34]:10465) with esmtpa (authdaemon_plain:drh) id 1drlRF-0000mP-Dh for tls@ietf.org (return-path <lists@drh-consultancy.co.uk>); Tue, 12 Sep 2017 13:41:18 +0000
To: tls@ietf.org
References: <20170908225948.GC31695@al> <CABcZeBNYoqpWx_3V42wut3FUUt3xELv5J5YayvcrhwzJKqgcyg@mail.gmail.com>
From: Dr Stephen Henson <lists@drh-consultancy.co.uk>
Message-ID: <cafe5f94-f2f8-98d7-c536-fbc59e94fb97@drh-consultancy.co.uk>
Date: Tue, 12 Sep 2017 14:41:16 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <CABcZeBNYoqpWx_3V42wut3FUUt3xELv5J5YayvcrhwzJKqgcyg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/UjS8myu6gP3DHll9ow16VJLob9s>
Subject: Re: [TLS] RSASSA-PSS in certificates and "signature_algorithms"
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Sep 2017 13:41:22 -0000
On 11/09/2017 19:42, Eric Rescorla wrote: > Ugh. > > Generally, the idea with signature schemes is that they are supposed to reflect > both the capabilities of your TLS stack and the capabilities of your PKI > verifier [0]. So, yes, if you advertise this it is supposed to work. So, ideally > we would just say that it's as Ilari says in his followup. > > It seems like there are really two choices: > > 1. Only advertise algorithm X if you support algorithm X in both places > 2. Invent a new extension whose semantics are "if present, this tells you what > the PKI validator accepts, otherwise look at signature schemes" > > I hate to be suggesting #2 at this stage in the process, but maybe it's right > anyway... > It's rather more than just certificate signatures. The problem here is that there is no way to indicate an implementation supports rsaEncryption keys but not RSASSA-PSS keys and the current draft requires that implementations support both AFAICS. RSASSA-PSS keys are pretty rare at the moment. There are some complications involved with supporting them not present with other key types: more complex parameter sets and key restrictions for example. Implementors might feel (despite what the draft says) that the added complexity is not justified because no one will ever want to use RSASSA-PSS keys. At the same time if important implementations abort the handshake when they see an RSASSA-PSS key then this is a strong reason for a server to not deploy RSASSA-PSS keys: it will cause interoperability issues. Steve. -- Dr Stephen N. Henson. Founder member of the OpenSSL project: http://www.openssl.org/
- [TLS] RSASSA-PSS in certificates and "signature_a… Peter Wu
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Ilari Liusvaara
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Dr Stephen Henson
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Hubert Kario
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Eric Rescorla
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Nick Sullivan
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Nikos Mavrogiannopoulos
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Ilari Liusvaara
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Martin Rex
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Ilari Liusvaara
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Hubert Kario
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Martin Rex
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Dr Stephen Henson
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Nikos Mavrogiannopoulos
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Dr Stephen Henson
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Eric Rescorla
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Hubert Kario
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Hubert Kario
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Hubert Kario
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Hubert Kario