Return-Path: <hanno@hboeck.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id A0DB21A6F92
 for <tls@ietfa.amsl.com>; Tue, 23 Dec 2014 01:26:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level: 
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, MANGLED_BACK=2.3, MIME_8BIT_HEADER=0.3,
 RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id mWPfpDs70Aw5 for <tls@ietfa.amsl.com>;
 Tue, 23 Dec 2014 01:26:34 -0800 (PST)
Received: from zucker2.schokokeks.org (zucker2.schokokeks.org [178.63.68.90])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id 745081ACDAE
 for <tls@ietf.org>; Tue, 23 Dec 2014 01:26:32 -0800 (PST)
Received: from pc (ip5b4006da.dynamic.kabel-deutschland.de
 [::ffff:91.64.6.218])
 (AUTH: LOGIN hanno-default@schokokeks.org, TLS: TLSv1/SSLv3, 128bits,
 ECDHE-RSA-AES128-GCM-SHA256)
 by zucker.schokokeks.org with ESMTPSA; Tue, 23 Dec 2014 10:26:28 +0100
 id 000000000000005D.0000000054993544.00001E65
Date: Tue, 23 Dec 2014 10:26:35 +0100
From: Hanno =?UTF-8?B?QsO2Y2s=?= <hanno@hboeck.de>
To: tls@ietf.org
Message-ID: <20141223102635.3bda9ed2@pc>
In-Reply-To: <5498DBCE.1070909@delignat-lavaud.fr>
References: <5498DBCE.1070909@delignat-lavaud.fr>
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="=_zucker.schokokeks.org-7781-1419326788-0001-2"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/ZYvoEAwMjxauoXbmrrDm1vPF8Xw
Subject: Re: [TLS] Remove signature algorithms from cipher suites in 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working
 group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>,
 <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>,
 <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Dec 2014 09:26:36 -0000

This is a MIME-formatted message.  If you see this text it means that your
E-mail software does not support MIME-formatted messages.

--=_zucker.schokokeks.org-7781-1419326788-0001-2
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hello,

On Tue, 23 Dec 2014 04:04:46 +0100
Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr> wrote:

> Hence, I propose to include with this change the introduction of a
> new SignatureAlgorithm value rsa-pss(4) that denotes PKCS#1v2.2
> RSASSA-PSS signatures with default parameters (mgf1SHA1 for mask
> generation and the length of the message digest function output as
> salt length). It may take time before this change impacts PKIX and
> CAs, but it is at least a necessary first step.

Thanks for bringing PSS for TLS 1.3 up, I wanted to do this for quite
some time.

Do I understand your proposal right that it'd result in:

a) If we use the normal RSA certificates we have today TLS 1.3 would
continue using RSA-PKCS#1v1.5
b) If the user gets a designated RSA-PSS key/certificate it'd use PSS?

I think this would result in a near-zero-adoption for PSS probably for
a very long time because you'd depend on the CA to do anything.

Why not go the much simpler route: Define that TLS 1.3 uses PSS by
default.

Certificates / Keys for RSA-PSS are no different from PKCS#1v1.5 keys.
We can just use the existing ones.

(Please note that the algorithm identifier for PSS already exists for
X509, it's RFC 4055. It allows Keys with an algorithm identifier
restricting to PSS, but that's no requirement - you can use the old
keys for PSS as well, as technically they're no different.)


Best,
--=20
Hanno B=C3=B6ck
http://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42

--=_zucker.schokokeks.org-7781-1419326788-0001-2
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJUmTVLAAoJEKWIAHK7tR5CJ+0P/A0NCCib9MEqpS/YjbNKvOZe
iVXcBTBE7OUsw6hut1zR9nWsE7KufoxyO0eEql7/tAo5jIOrJ5JSiUVsZQaBLMzz
gEGhgQWOx7/X+emVC93YY48xRki+/5TUjf3qQMSGiCnltYBe0BJS5cwUELHrbqZV
j3E+85KRulCGPd7hocUgTXpACwxWAUOCXrYKverpI5k97JuCpKla2++dkQk/VYpe
HXXS7aX0yQdnflhOTPIZTWj4u4OvoMUJrZyibFKLT4hDRwyzmWzYgjzVhDBfJ0SR
xbpsNMykxFuqhN6t8vkuzPQZXe2b4QyRDXRreKzGicxwb/FWwIkg6BxwRlIjw6BN
Ga0fmRNV7hJ7l1soRfMqpnB0rvymJwpgT6MFuA1xzG36fsXE9Imz3XVn9GVr4cXc
ZRFMolaqOXAYsHsTIyg3Utsf1hpxDNv+M6RkjCY7IgAf0JOgcfduHvegUALoe20s
9e/buY8NFXMto12PCW4Slx2YMbMUdjv7w36ZjFQ6uWWfcNioN11WPe65/FAUm4yY
cljUZPY1CeikD38PALhSNTj0kqGyzB1BEjl1kFd8PhIbIkOL57LbJ3SEDdQe9Yi1
trRUVcdsc8+UTkMaTepZcuhM76zDl/GRf2H3ULZgu9QP3N1DYAEsz9mv44yN5a5R
cHHRYdVHfPd8hlvH459m
=jpe5
-----END PGP SIGNATURE-----

--=_zucker.schokokeks.org-7781-1419326788-0001-2--