IETF Logo Mail Archive

Re: [TLS] Is it possible for a client to offer TLS 1.3, but not be forced to support RSA PSS in TLS 1.2?

Martin Thomson <martin.thomson@gmail.com> Wed, 30 May 2018 06:32 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5485D12D964 for <tls@ietfa.amsl.com>; Tue, 29 May 2018 23:32:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05Uc0Kda8Iww for <tls@ietfa.amsl.com>; Tue, 29 May 2018 23:32:22 -0700 (PDT)
Received: from mail-ot0-x22a.google.com (mail-ot0-x22a.google.com [IPv6:2607:f8b0:4003:c0f::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9883C12D80E for <tls@ietf.org>; Tue, 29 May 2018 23:32:22 -0700 (PDT)
Received: by mail-ot0-x22a.google.com with SMTP id y10-v6so19872737otg.10 for <tls@ietf.org>; Tue, 29 May 2018 23:32:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dhHEaZAMtpmPqod0Tvg77kYZOEF8wjfk7vpdSNy5Ugc=; b=DtZd6yRNy7951DzgcNbfIbLoocVgxSE1cGkWDRCDAV6vZHu41DPDKL1ftQCBiO6oPu 20aEhbt2t15cihrdXrxHkrizOhDlQ6//rvlJ7CbSKAeyp5pbOcbo0wA8LXftCheXvSFh VoGmmqtgjz9TDje1bxTV7styAJC44bfYts4awaGF/wlv4CwjNTjqILt88Kb2wzfgGRB/ /T18WTCtpU/hnIHJpLpwILBWdrKNThqoYa2jMINHiyXvchxyJnLABUdL2eERxFso6tWN O59VSY+9+h2vmts1FHUVba5DLDJhkurJ5wjbbLQl24uAvsl2XVBTeOnCsBtwTAQsYlbh P9gw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dhHEaZAMtpmPqod0Tvg77kYZOEF8wjfk7vpdSNy5Ugc=; b=Lu2+cTVHAC0T2mBAix4ulTeMrlylp+PHt9qdszWfxzxYF/dnVGc++kpIF7jqlhx/3k 0Xq+zVc3FZa7Q3w1XTsnSJhU4r9IiB4XaskT5VpwX2jjJGg2qeUKvP5DSqPUIVtrxSRh UWFrKFM7UQiLq8fjbh2Nq68vCphmUhEhwjWpw4Vo2iYSYmrevVMNYsVSzrLKcQ3dAFAR BBYlrctyLDBmZRePo1td901HX6DCqHaCNYgIkrBQaOgC0uYzoSecPxZscDCLp3dipvZu 2rrenCtY/Q+0eRBVkkLd4X0OKvjaSYkXWFnWdmWtBqRcmdFZPYk/3X7o7iV6EU72u6MN B5Jg==
X-Gm-Message-State: ALKqPwfEjhYqPnuxx8gpKn7QFy654OMvztks9NR8DhMvUX+VFB3lHCDY j0Khr9CLXedSCSeHMkQl65wIxELsKCI1BU1nBN4=
X-Google-Smtp-Source: ADUXVKJii7wZTLdCS65rOT9D7sQjEbxg90sxYZVKuUF6LrLFBWQO2XLi48rrlb3f0ZoOZuD5hOdm9P0VfpTCzkcnNeg=
X-Received: by 2002:a9d:3637:: with SMTP id w52-v6mr859286otb.394.1527661941896; Tue, 29 May 2018 23:32:21 -0700 (PDT)
MIME-Version: 1.0
References: <a96fb90a-5533-6fc9-4473-fa2e5d0ac131@brainhub.org> <20180529191319.GJ13834@akamai.com> <2f30d9d5-17a0-4a83-ab2d-bfd399c73fd2@brainhub.org> <20180529194251.GK13834@akamai.com> <50f2f097-d8b0-334d-e1b2-1ea34fff9d29@brainhub.org> <CAF8qwaAZOZs__81Q2zvreM-X-t07G80V-4t1NKgZCWiP5yD-Yg@mail.gmail.com> <d8b6f651-f5ac-a16e-db81-91812e483f72@brainhub.org> <CAF8qwaB_LoPAvz41k0_+FANnrAznzTHE9h4dhq5SKP+mkiL0jg@mail.gmail.com> <7c503b05-1c33-7c94-d79f-b7feb2d8c145@brainhub.org> <CABkgnnXBsNQDebM7R60XzjujX-oXZHQmW6vb1-eiHHun0pTLng@mail.gmail.com> <97d05a8c-3d4e-0ce8-d0d1-7d64a8b4f227@brainhub.org> <CABkgnnWNuqGEkCycqT3QNf=xEYeEoO-H0DZpBH4TFNRsSbfvWw@mail.gmail.com> <1b87cc44-2329-697d-59b7-829e87b67aef@brainhub.org>
In-Reply-To: <1b87cc44-2329-697d-59b7-829e87b67aef@brainhub.org>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 30 May 2018 16:32:05 +1000
Message-ID: <CABkgnnUtsNC6KKVkX3PE33Rrj0dS0mmnzjLMc-f47MJ=-SFqKQ@mail.gmail.com>
To: Andrey Jivsov <crypto@brainhub.org>
Cc: David Benjamin <davidben@chromium.org>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Zc3fHkoqTSBN0HHyl8IxZobv0SQ>
Subject: Re: [TLS] Is it possible for a client to offer TLS 1.3, but not be forced to support RSA PSS in TLS 1.2?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 May 2018 06:32:25 -0000

On Wed, May 30, 2018 at 4:03 PM Andrey Jivsov <crypto@brainhub.org> wrote:
> > Implementations that advertise support for RSASSA-PSS (which is
mandatory
> > in TLS 1.3), MUST be prepared to accept a signature using that scheme
even
> > when TLS 1.2 is negotiated. "

> Correct. That's the single paragraph that I think should not be there.

This has been discussed.  The working group felt that it was worthwhile
having support for PSS in TLS 1.2 and that they preferred not to add more
codepoints to support that.

The cost here is as you say: clients that offer 1.3 need to be able to
handle PSS certs from a server.  The cost for the alternative is to make
the signature algorithm meaningful in TLS 1.3, which leaves us looking for
a solution for 1.2 (yes, a new codepoint would achieve that).

v2.23.0 | Report a Bug | By Email