Re: [TLS] TLS RSA-PSS and various versions of TLS
Dr Stephen Henson <lists@drh-consultancy.co.uk> Sat, 18 February 2017 13:01 UTC
Return-Path: <lists@drh-consultancy.co.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A76931294EE for <tls@ietfa.amsl.com>; Sat, 18 Feb 2017 05:01:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.59
X-Spam-Level:
X-Spam-Status: No, score=-2.59 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, T_HK_NAME_DR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fl2LmqNDIR-M for <tls@ietfa.amsl.com>; Sat, 18 Feb 2017 05:01:45 -0800 (PST)
Received: from claranet-outbound-smtp03.uk.clara.net (claranet-outbound-smtp03.uk.clara.net [195.8.89.36]) by ietfa.amsl.com (Postfix) with ESMTP id 693FD1294E1 for <tls@ietf.org>; Sat, 18 Feb 2017 05:01:45 -0800 (PST)
Received: from host86-133-224-58.range86-133.btcentralplus.com ([86.133.224.58]:51482 helo=[192.168.1.64]) by relay03.mail.eu.clara.net (relay.clara.net [81.171.239.33]:10465) with esmtpa (authdaemon_plain:drh) id 1cf4dv-0001kI-BD (return-path <lists@drh-consultancy.co.uk>); Sat, 18 Feb 2017 13:01:40 +0000
To: Martin Thomson <martin.thomson@gmail.com>
References: <E521BA5F-4563-44D2-B186-B11B7B214A15@mobileiron.com> <20170208211738.GB17727@LK-Perkele-V2.elisa-laajakaista.fi> <53320524-0da9-2b59-c348-e1d585572c03@drh-consultancy.co.uk> <CABkgnnXrA9=yRuDwg6=mLQC8evt+N7D1JZjHt4ZBvFM-xT4XxQ@mail.gmail.com>
From: Dr Stephen Henson <lists@drh-consultancy.co.uk>
Message-ID: <14d2a8f5-8c63-853e-b883-b52c47a1fd5c@drh-consultancy.co.uk>
Date: Sat, 18 Feb 2017 13:01:36 +0000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <CABkgnnXrA9=yRuDwg6=mLQC8evt+N7D1JZjHt4ZBvFM-xT4XxQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XsjgmpHBOGqUIbo4ujCtavYt8dI>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS RSA-PSS and various versions of TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Feb 2017 13:01:47 -0000
On 18/02/2017 10:01, Martin Thomson wrote: > On 18 February 2017 at 13:31, Dr Stephen Henson > <lists@drh-consultancy.co.uk> wrote: >> could a TLS 1.2 server legally present a certificate containing an >> RSASSA-PSS key for an appropriate ciphersuite? Similarly could a client present >> a certificate contain an RSASSA-PSS key? > > NSS, when configured to do so, will do just that. I wouldn't > recommend it right now, but it is legal. Actually, if you offer > support for validating PSS and end up negotiating 1.2, then you should > be prepared to receive PSS signatures. It's a wee gotcha in the 1.3 > spec. > > The reason I wasn't sure about this is that for TLS 1.2 the server certificate key algorithm is associated with a ciphersuite. So for example the "RSA" in TLS_DH_RSA_WITH_AES_256_CBC_SHA256 would previously refer to the OID rsaEncryption (1 2 840 113549 1 1 1) if PSS is included in signature algorithms it could also refer to id-RSASSA-PSS. Similarly for client certificates there is the ClientCertificateType rsa_sign though RFC5246 just says "a certificate containing an RSA key". I'd be curious to know what other implementations do. I suggest we make this possibility clear in the spec, along with the salt length in certificate signatures previously discussed. Otherwise it isn't inconceivable that some will reject id-RSASSA-PSS keys in end entity certificates in TLS 1.2. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.co.uk/ Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.
- Re: [TLS] TLS RSA-PSS and various versions of TLS Dr Stephen Henson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Dr Stephen Henson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Benjamin Kaduk
- Re: [TLS] TLS RSA-PSS and various versions of TLS Dr Stephen Henson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Ilari Liusvaara
- Re: [TLS] TLS RSA-PSS and various versions of TLS Martin Rex
- [TLS] TLS RSA-PSS and various versions of TLS Timothy Jackson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Yoav Nir
- Re: [TLS] TLS RSA-PSS and various versions of TLS Martin Thomson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Ilari Liusvaara
- Re: [TLS] TLS RSA-PSS and various versions of TLS Martin Thomson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Dr Stephen Henson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Martin Thomson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Dr Stephen Henson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Viktor Dukhovni
- Re: [TLS] TLS RSA-PSS and various versions of TLS Dr Stephen Henson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Ilari Liusvaara
- Re: [TLS] TLS RSA-PSS and various versions of TLS Martin Thomson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Hubert Kario