Re: [TLS] RSA-PSS in TLS 1.3

Andrey Jivsov <crypto@brainhub.org> Tue, 01 March 2016 04:52 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFC581ACD03 for <tls@ietfa.amsl.com>; Mon, 29 Feb 2016 20:52:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.501
X-Spam-Level:
X-Spam-Status: No, score=-0.501 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dvQU4nWRPGho for <tls@ietfa.amsl.com>; Mon, 29 Feb 2016 20:52:14 -0800 (PST)
Received: from resqmta-po-12v.sys.comcast.net (resqmta-po-12v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:171]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BA9E1ACD01 for <tls@ietf.org>; Mon, 29 Feb 2016 20:52:13 -0800 (PST)
Received: from resomta-po-11v.sys.comcast.net ([96.114.154.235]) by resqmta-po-12v.sys.comcast.net with comcast id QUsD1s00354zqzk01UsDfH; Tue, 01 Mar 2016 04:52:13 +0000
Received: from [192.168.0.10] ([76.103.100.237]) by resomta-po-11v.sys.comcast.net with comcast id QUsC1s00157Jnqc01UsCuQ; Tue, 01 Mar 2016 04:52:13 +0000
Message-ID: <56D51FFB.9050909@brainhub.org>
Date: Mon, 29 Feb 2016 20:52:11 -0800
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: tls@ietf.org
References: <CAOgPGoD=AAFDUXN8VkOHwTMEUm+-qi548NsicoD=1yQKSu-sng@mail.gmail.com> <56D4ABAD.90902@brainhub.org> <20160229233617.5466ebd3@pc1>
In-Reply-To: <20160229233617.5466ebd3@pc1>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1456807933; bh=tV8qaBjqVJSdBz9TIG8W3HSI3XYmVgQ/XWayrEfkFtc=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=SIGhEBbsXp6luTC3dcQ7H3xLx5SCbBVMcAP72VWdumjAM34SrvhXbl1U7I6Ij84P2 oRmuzJyRCLBRTYJEw0y3KiQ4wrXV5+ej1X01YCCNloFXA73XxMUZ3QVYGJDsn65K08 fccvzMqILFqliiY+z5iPsztt9AOWAL/3Ws9hTL4Ol+/6x0FJgdqe7OFynqR4Bu1dc9 kXNVghomF1ZdINwCxYjkJwZbl7AkdLmbb6XWzsss6bEaZ5aM6kOQwBOZxGe01csUUQ se7JF41POS9cWJJ6NGXWqjn2LD1uQ7Fu7VjCY2sKBszOYPr5FYgQssWBqDiQF6SgTq ZZays1s8AqUew==
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/cSCcy_saAXX_8YzUDvRWlcYV-WA>
Subject: Re: [TLS] RSA-PSS in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Mar 2016 04:52:16 -0000

On 02/29/2016 02:36 PM, Hanno Böck wrote:
> We have an RFC for PSS since 2003.
> We had several attacks showing the weakness of PKCS #1 1.5.

In the face of such danger, what's your opinion on PKCS #1.5 signatures 
being perfectly fine in TLS 1.3 ? I refer to signatures in X.509 certs 
in the latest https://tools.ietf.org/html/draft-ietf-tls-tls13-11.

Why not ban PKCS #1.5 altogether from TLS 1.3? It will not only make TLS 
1.3 more secure, but code simpler and footprint smaller. Besides, it's 
reasonable: TLS 1.2 already allows PSS in X.509 certs.

You are arguing for the benefit of suddenly mandating a steel door on a 
grass hut. Joseph Salowey's proposal gives an option for the door, 
consistent with how TLS 1.2 does this for X.509 certs.