Re: [TLS] PSS for TLS 1.3
Eric Rescorla <ekr@rtfm.com> Mon, 23 March 2015 03:21 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0A201A879A for <tls@ietfa.amsl.com>; Sun, 22 Mar 2015 20:21:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lujZFVM9ZOqV for <tls@ietfa.amsl.com>; Sun, 22 Mar 2015 20:21:43 -0700 (PDT)
Received: from mail-wi0-f174.google.com (mail-wi0-f174.google.com [209.85.212.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2DCE1A87A3 for <tls@ietf.org>; Sun, 22 Mar 2015 20:21:42 -0700 (PDT)
Received: by wibgn9 with SMTP id gn9so48892685wib.1 for <tls@ietf.org>; Sun, 22 Mar 2015 20:21:41 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=s02ZEjAvKCMv2f8Gqn22VHYbv6CsCHjgccNOIjbhZKc=; b=eLZj9OC9uotz3Ht3reY0vATKKj50n4Z62Hu7ubvqs6ULZJDRkK/FwiGc3ya8N8OOIY 8R+Ed8Mk9U9vz/l++r1hjHOuZugOM0iadvbSWeSy0SGZsJYLdufgKt3eeBq8/p5ZB6tS qk6KGfUuP7OzNin1DNOGBsRSxlwGYBHCrXArxg7lakL2pp90Kz/m1b2EzKsmzJKPc/2e VfdNtfN4rynhX0YwhvYbpA5zyBF8c2TAZClO9Px0+jOLAOP0P5UBh7mdsOEO300wILsV 2amoljZnX/nHR74iLthkfFa2mgaK52K+IGQVkBzctegEpu0I1vwUbOQCAE1jBVFkPdGO uBtQ==
X-Gm-Message-State: ALoCoQnbEhTjsX6+AX2rjshGTq5gdRgNstTUc6yVB+xhwFBFNkx7ZFF/yv30xrlGkXSndkvaX+ce
X-Received: by 10.194.121.10 with SMTP id lg10mr185123259wjb.71.1427080901668; Sun, 22 Mar 2015 20:21:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.205.198 with HTTP; Sun, 22 Mar 2015 20:21:01 -0700 (PDT)
In-Reply-To: <CAFewVt6GN0pxRRpKa+Yxg9AcEX8n9gymoh_RqdefAav1OP-eiA@mail.gmail.com>
References: <CABcZeBOeoyggJfma8rvyeRrh6Dw+oSp5P-oUG0MR3ZprBOyUPQ@mail.gmail.com> <CAFewVt6GN0pxRRpKa+Yxg9AcEX8n9gymoh_RqdefAav1OP-eiA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 22 Mar 2015 20:21:01 -0700
Message-ID: <CABcZeBMogVNSA+TOStKybDOAoSY+N=91-UTx=QoCNvNOU=dzrA@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Content-Type: multipart/alternative; boundary="089e0117715535c6b90511ec2ad1"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/hmkfxB4SNg1d1CD9VrucJBYcjGY>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] PSS for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2015 03:21:45 -0000
On Sun, Mar 22, 2015 at 6:53 PM, Brian Smith <brian@briansmith.org> wrote: > Eric Rescorla <ekr@rtfm.com> wrote: > > Obviously, if we want to move to PSS, option #2 is simplest, but > > the sentiment at the interim was to survey the WG to see whether > > there was widespread enough support for generating and verifying > > PSS to make this feasible [0]. > > PSS with which parameters? > I would be fine with mandating a minimum of SHA-256. -Ekr > My suggestion is that, if PSS is used, (SHA-256, MGF-SHA-256, 32-byte > salt) should be used with the SHA-256-based PRF and that (SHA-384, > MGF-SHA-384, 48-byte salt) should be used with the SHA-384-based PRFs. > > [1] notes that there is a security advantage to using the same digest > function for the MGF as was used for digesting the signed data. It > would be a mistake to mandate support for MGF-SHA-1 in PSS signatures > in TLS 1.3, because a TLS 1.3 implementation shouldn't be need to > implement SHA-1 at all. > > Some implementations are hard-coded to support only MGF-SHA-1 and 20 > byte salts. It is better to require those implementations to be > updated than to require all implementations to implement SHA-1 just > for the MGF. > > Cheers, > Brian > > [1] https://tools.ietf.org/html/rfc3447#section-8.1 >
- [TLS] PSS for TLS 1.3 Eric Rescorla
- Re: [TLS] PSS for TLS 1.3 Brian Smith
- Re: [TLS] PSS for TLS 1.3 Eric Rescorla
- Re: [TLS] PSS for TLS 1.3 Peter Bowen
- Re: [TLS] PSS for TLS 1.3 Hanno Böck
- Re: [TLS] PSS for TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] PSS for TLS 1.3 Eric Rescorla
- Re: [TLS] PSS for TLS 1.3 Salz, Rich
- Re: [TLS] PSS for TLS 1.3 Russ Housley
- Re: [TLS] PSS for TLS 1.3 Russ Housley
- Re: [TLS] PSS for TLS 1.3 Paterson, Kenny
- Re: [TLS] PSS for TLS 1.3 Ilari Liusvaara
- Re: [TLS] PSS for TLS 1.3 Martin Rex
- Re: [TLS] PSS for TLS 1.3 Ilari Liusvaara
- Re: [TLS] PSS for TLS 1.3 Russ Housley