Re: [TLS] RSA-PSS in TLS 1.3

Martin Thomson <martin.thomson@gmail.com> Tue, 01 March 2016 09:20 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D10EB1B368A for <tls@ietfa.amsl.com>; Tue, 1 Mar 2016 01:20:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Chw9GIId5q3d for <tls@ietfa.amsl.com>; Tue, 1 Mar 2016 01:20:39 -0800 (PST)
Received: from mail-io0-x234.google.com (mail-io0-x234.google.com [IPv6:2607:f8b0:4001:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AF9E1B3689 for <tls@ietf.org>; Tue, 1 Mar 2016 01:20:39 -0800 (PST)
Received: by mail-io0-x234.google.com with SMTP id 9so212602824iom.1 for <tls@ietf.org>; Tue, 01 Mar 2016 01:20:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=KXpRa3OUSvXFjdJrC18JeM4JozXFw+1GNr6A0CJBuA8=; b=ECiFH0CsoPtorX5gHdiBnFjmOQt/TmepSmMxB2JenZj3Jy2T0IKaPyCMZSZU0AiAuN O18xE//1tk/tpxoQVgzogIAgAChrtfHtLIjVQJG+Q8GeXXZjHHH/nawLIJ1kfPXGzeU9 9aacFvdWaVbrcaXepiNQcS2VcTsCBrCIoh/08JzXIWqN48kGFDmMdmNoWwXFRHTZboLG bFe6MPbhCoKBKas0ycUyWq/Cxth8d72uWG7UdCYEYqxNq+t5KipsbtF/dTyETZD31nf+ ySbqKzRpysmRKFSpwNvWV0fJLK3bhw39lUNSxTI6FA3UTwZpY6l5zqztosGOTZAh9umE G7gw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to; bh=KXpRa3OUSvXFjdJrC18JeM4JozXFw+1GNr6A0CJBuA8=; b=J0cpxC0D0CvkS3OOqmfggk8jt1JlDfZ7F66bwyC75zglK6L1imOBLOStQP9m05L1Dk S8XZLJ8cTsfHezUvV9dGEJW23N82aCM0XgfLyTD1AFJcQEp5kd975o0hxoNSOMqdk30O BOiurdyKa9w5s6pzlUgrjbHcQWuqmgUx+6AqAKxAnNO0Ydcix1ZCBu72dK26gXoIiqh8 9O7x64+FwlpsGM+yEiC8JENh20KDAAnDPUmzGDFshRvLcVC4n4Lw6c9r8g99RjUAwm04 XEZO7yhtfE6EPBKTEworN9FkCU6biGpNktU2HLo9lKWxDkPrA7JS6xj/bs1wVSQ1W1by jB2Q==
X-Gm-Message-State: AG10YOQjylRLLjeX1XICFt8V/iUbsAcFB4Mx9rblE49k2qfSeUT5hwxdw9hhI7j7Fmlu6b9RHCnD8aSPbbQCyA==
MIME-Version: 1.0
X-Received: by 10.107.41.133 with SMTP id p127mr24710001iop.100.1456824038943; Tue, 01 Mar 2016 01:20:38 -0800 (PST)
Received: by 10.36.53.79 with HTTP; Tue, 1 Mar 2016 01:20:38 -0800 (PST)
In-Reply-To: <20160301050647.GW12869@mournblade.imrryr.org>
References: <CAOgPGoD=AAFDUXN8VkOHwTMEUm+-qi548NsicoD=1yQKSu-sng@mail.gmail.com> <CABkgnnX4Orgk7dvOtKN5FLryepf7Pb_bJtkxDiN+L7UUfthvSw@mail.gmail.com> <20160301045947.GV12869@mournblade.imrryr.org> <20160301050647.GW12869@mournblade.imrryr.org>
Date: Tue, 1 Mar 2016 20:20:38 +1100
Message-ID: <CABkgnnVPz_7UH0y1-N_SRgfd7hxX85WxD1i-NvXzWhjZ_v1POw@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/fyhybT5elCFk77ezuoV5bk2QwKY>
Subject: Re: [TLS] RSA-PSS in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Mar 2016 09:20:41 -0000

On 1 March 2016 at 16:06, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
>> It is much easier to mandate PSS in TLS 1.3 now, than to remove it
>> later.  Servers that can't do PSS will use TLS 1.2.  This avoids
>> a break-the-web day.
>
> Sorry, ... than to remove *PKCS#1.5* later ...

Yes, this is true for some people, and likely it will be more true in
the future.  However, a MUST implement PSS is enough for me.  If it
seems like consensus is against this position, I'll back that all the
way.  However, on the web side of things, we've some experience with
killing stuff that we don't like.  It's not always painless (see
SHA-1), but I'd rather rely on that system than risk holding back 1.3.