Re: [TLS] Remove signature algorithms from cipher suites in 1.3

Hanno Böck <> Tue, 23 December 2014 09:26 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A0DB21A6F92 for <>; Tue, 23 Dec 2014 01:26:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MANGLED_BACK=2.3, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mWPfpDs70Aw5 for <>; Tue, 23 Dec 2014 01:26:34 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 745081ACDAE for <>; Tue, 23 Dec 2014 01:26:32 -0800 (PST)
Received: from pc ( [::ffff:]) (AUTH: LOGIN, TLS: TLSv1/SSLv3, 128bits, ECDHE-RSA-AES128-GCM-SHA256) by with ESMTPSA; Tue, 23 Dec 2014 10:26:28 +0100 id 000000000000005D.0000000054993544.00001E65
Date: Tue, 23 Dec 2014 10:26:35 +0100
From: Hanno Böck <>
Message-ID: <20141223102635.3bda9ed2@pc>
In-Reply-To: <>
References: <>
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary=""
Subject: Re: [TLS] Remove signature algorithms from cipher suites in 1.3
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 23 Dec 2014 09:26:36 -0000


On Tue, 23 Dec 2014 04:04:46 +0100
Antoine Delignat-Lavaud <> wrote:

> Hence, I propose to include with this change the introduction of a
> new SignatureAlgorithm value rsa-pss(4) that denotes PKCS#1v2.2
> RSASSA-PSS signatures with default parameters (mgf1SHA1 for mask
> generation and the length of the message digest function output as
> salt length). It may take time before this change impacts PKIX and
> CAs, but it is at least a necessary first step.

Thanks for bringing PSS for TLS 1.3 up, I wanted to do this for quite
some time.

Do I understand your proposal right that it'd result in:

a) If we use the normal RSA certificates we have today TLS 1.3 would
continue using RSA-PKCS#1v1.5
b) If the user gets a designated RSA-PSS key/certificate it'd use PSS?

I think this would result in a near-zero-adoption for PSS probably for
a very long time because you'd depend on the CA to do anything.

Why not go the much simpler route: Define that TLS 1.3 uses PSS by

Certificates / Keys for RSA-PSS are no different from PKCS#1v1.5 keys.
We can just use the existing ones.

(Please note that the algorithm identifier for PSS already exists for
X509, it's RFC 4055. It allows Keys with an algorithm identifier
restricting to PSS, but that's no requirement - you can use the old
keys for PSS as well, as technically they're no different.)

Hanno Böck