Re: [TLS] PSS and TLS 1.3
Martin Thomson <martin.thomson@gmail.com> Mon, 06 February 2017 02:36 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F7F6129565 for <tls@ietfa.amsl.com>; Sun, 5 Feb 2017 18:36:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dCd9ydhauIeE for <tls@ietfa.amsl.com>; Sun, 5 Feb 2017 18:36:30 -0800 (PST)
Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com [IPv6:2607:f8b0:400d:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37E711294AD for <tls@ietf.org>; Sun, 5 Feb 2017 18:36:30 -0800 (PST)
Received: by mail-qk0-x235.google.com with SMTP id 11so42640183qkl.3 for <tls@ietf.org>; Sun, 05 Feb 2017 18:36:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=qgRHlDtiF8qaJITHXYchouTAIh2yfCSTRjkQDfoBGvo=; b=kb4BNYycCYIjtpEQdI/JX2IDMPjdDRVe5Uz1MeMHgbebxKQM59UU0o6AAZvfKPB3dd WLlZBMDejn+iIor7Lj7MKePex0Z4Vqc5K0GXsMIO7Z3c6OUp0x7vswYQvaJI9ZucaN/K 9GgxZi5vjs1UYuKoKaSUE8bejFqEITXGY1NQ1dccXByhFpinjsUjHB9NgTGFPj+OACP1 KDVAc6RtU7lzVH9plwTlzDiqoyW8S2e6pd9+x8iEi5j1CeS9MI+4W8pJJ7ktxEaAVDca lGzksKBOv9spCUSRIid0F0ed+PvujH/DNvNG2ayAFQNnj81RVbMBy6xc1uJIUXo1swsl LDgg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=qgRHlDtiF8qaJITHXYchouTAIh2yfCSTRjkQDfoBGvo=; b=foy+8zh11Nb5R55LgayAt6fKfCpZ9y5UzXSfu81Q/sjZdMbPdErnBaaYIthsLnKkXY q27FZFNFnDEYlEva+KtDMDYN66bDFhQGPyrFuml7tnRk9ipJr74s6Um9LUm8QVwZLQO+ uex/PrQwI9SupWHWTnee4mm2NmJIeJvcmBGhRCmjgVE4o9I7dWArq6CaEbpEe6EIAcB0 4zcrPI9HExcCW5Lcazhc+YNe+ZqUF2fUOR0Abm6FIDfiQJy2e0GmAO/8tF9B0tZS0U3w eCz3aJQp01x08VtIf/fZDe0F9SOOdf+atnui1Od5KAMHiTHWBXMFK4lz0L2hoXOF9XVM ynVQ==
X-Gm-Message-State: AMke39mhUhW3eoSrRX2v9C5bhv3n6UhnlEdz5QHjfJanYF6kr5nIY62YbmuvGNcZITPBjZTs/Q3SxlisTyn0gw==
X-Received: by 10.233.216.68 with SMTP id u65mr7396642qkf.68.1486348589324; Sun, 05 Feb 2017 18:36:29 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.19.112 with HTTP; Sun, 5 Feb 2017 18:36:28 -0800 (PST)
In-Reply-To: <1486339925.22876.1.camel@redhat.com>
References: <e993599c-f69d-2db3-f3f3-f40caf810bd6@drh-consultancy.co.uk> <1485158728.3068.5.camel@redhat.com> <20170123105241.GB28101@LK-Perkele-V2.elisa-laajakaista.fi> <1486339925.22876.1.camel@redhat.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 06 Feb 2017 13:36:28 +1100
Message-ID: <CABkgnnVYcANcB9=DcbWhtC-MxRtyXu7UV77PNTGpCP5Oz0Qmeg@mail.gmail.com>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/amvF0uMRAtmCp6cgCzktdcozQKs>
Cc: "tls@ietf.org list" <tls@ietf.org>
Subject: Re: [TLS] PSS and TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Feb 2017 02:36:31 -0000
On 6 February 2017 at 11:12, Nikos Mavrogiannopoulos <nmav@redhat.com> wrote: > TLS 1.3 requiring a different key type, will provide an incentive for > them to update. I don't think that's how this works. More likely, that would become a reason not to deploy TLS 1.3 if you insist that only RSA-PSS certs are used. Yes, I know that it's relatively easy to configure a PSS certificate separately. I wrote the code that did that in NSS, but it's going to remain the case that most servers have one cert. If you have one cert, then it's going to be the one that works with all the clients.
- [TLS] PSS and TLS 1.3 Dr Stephen Henson
- Re: [TLS] PSS and TLS 1.3 Ilari Liusvaara
- Re: [TLS] PSS and TLS 1.3 Brian Smith
- Re: [TLS] PSS and TLS 1.3 Adam Langley
- Re: [TLS] PSS and TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] PSS and TLS 1.3 Ilari Liusvaara
- Re: [TLS] PSS and TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] PSS and TLS 1.3 Martin Thomson
- Re: [TLS] PSS and TLS 1.3 Peter Gutmann
- Re: [TLS] PSS and TLS 1.3 Yoav Nir
- Re: [TLS] PSS and TLS 1.3 Ilari Liusvaara
- Re: [TLS] PSS and TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] PSS and TLS 1.3 Ilari Liusvaara