Re: [TLS] Remove signature algorithms from cipher suites in 1.3

[Hanno Böck <hanno@hboeck.de>]

Hello,

On Tue, 23 Dec 2014 04:04:46 +0100
Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr> wrote:

> Hence, I propose to include with this change the introduction of a
> new SignatureAlgorithm value rsa-pss(4) that denotes PKCS#1v2.2
> RSASSA-PSS signatures with default parameters (mgf1SHA1 for mask
> generation and the length of the message digest function output as
> salt length). It may take time before this change impacts PKIX and
> CAs, but it is at least a necessary first step.

Thanks for bringing PSS for TLS 1.3 up, I wanted to do this for quite
some time.

Do I understand your proposal right that it'd result in:

a) If we use the normal RSA certificates we have today TLS 1.3 would
continue using RSA-PKCS#1v1.5
b) If the user gets a designated RSA-PSS key/certificate it'd use PSS?

I think this would result in a near-zero-adoption for PSS probably for
a very long time because you'd depend on the CA to do anything.

Why not go the much simpler route: Define that TLS 1.3 uses PSS by
default.

Certificates / Keys for RSA-PSS are no different from PKCS#1v1.5 keys.
We can just use the existing ones.

(Please note that the algorithm identifier for PSS already exists for
X509, it's RFC 4055. It allows Keys with an algorithm identifier
restricting to PSS, but that's no requirement - you can use the old
keys for PSS as well, as technically they're no different.)


Best,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42