Re: [TLS] RSA-PSS in TLS 1.3

Brian Smith <> Mon, 29 February 2016 19:01 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 821571B39C3 for <>; Mon, 29 Feb 2016 11:01:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CtxbN4lXQKa4 for <>; Mon, 29 Feb 2016 11:01:01 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4003:c01::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 59EAA1B39ED for <>; Mon, 29 Feb 2016 11:00:55 -0800 (PST)
Received: by with SMTP id xx9so30709255obc.2 for <>; Mon, 29 Feb 2016 11:00:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=FaHLXHOaPDEmnnsJOJsbPS8gU1YJkXktRZpHyUzpvbg=; b=djLERGq6CCyIFkWmXZeyQuFkWkvmb5vsQKdcwGoE2JH0FBWNLMnRbganAREISaf4qc 9OYlylzCSw/GG5JX1vAj3MUaktAoqRlPONs0uG0tTatdJPvrK+F5GvgFnvp2Uzf03FxI FgT42bWl6aIMNuX9Qv0tZWg06bZ3TG7RBlAEBVl85YeKeRCjl9sZk9gWXVs4upl3+cDk Mh77iEnndQhLuUMuREdOm2wbXt/dQnzOV8LCZg7O0ir5I/yHAkTuQecXNheHrx/Bexyx T/kyz/Rr7T6SKtWNSLL/6iJ2t7d5DNjcCPooNryQ8NV2V8cgf8lv5CYN0inwFFpLdsOZ oHdA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=FaHLXHOaPDEmnnsJOJsbPS8gU1YJkXktRZpHyUzpvbg=; b=heE/v2aN1Y3WqgS4uo9t/DitqvmcOA1Bo/eVXtGqo7h9p5kNJGrl5fDDLH/Mi9U8qd MF+tJz9UB1fPisGU7lhJ4A1wS6TJN2xm7aij4SyCqwGgIQuVp0gp3eczD4kP84FaMP0E IroCU9kl4me36R95A5f7/t+gsGe1H3i5F24zzTSXRk+0Ncx2BGTChDTNMTeq6+T37KyO /OrYkIoFBOXY1Fdb2/WlRjTFHWs17CExRy+yhKr89EG6+yjp52IHXX0yN3zGmZvp55QI ym2eY9VIId/ZYMihQSJS+u6Dt10i4W41eIn+CyBQWKaWl828JIJ1Owl4XrBj/UnXDfFF RF2w==
X-Gm-Message-State: AD7BkJLQxrmUhV8q/EWvH7QrQyNe7x/P7Ih8hH2Q8X0BuEW+kvNqtj7MS1enc5aXExZFIFATyKwqNhULQlHRHQ==
MIME-Version: 1.0
X-Received: by with SMTP id pz6mr13592165oec.49.1456772454640; Mon, 29 Feb 2016 11:00:54 -0800 (PST)
Received: by with HTTP; Mon, 29 Feb 2016 11:00:54 -0800 (PST)
In-Reply-To: <>
References: <>
Date: Mon, 29 Feb 2016 09:00:54 -1000
Message-ID: <>
From: Brian Smith <>
To: Joseph Salowey <>
Content-Type: multipart/alternative; boundary=001a11367c2ead8948052ced4409
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] RSA-PSS in TLS 1.3
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 29 Feb 2016 19:01:03 -0000

Joseph Salowey <> wrote:

> We seem to have good consensus on moving to RSA-PSS and away from PKCS-1.5
> in TLS 1.3.  However, there is a problem that it may take some hardware
> implementations some time to move to RSA-PSS.  After an off list discussion
> with a few folks here is a proposal for moving forward.
> We make RSA-PSS mandatory to implement (MUST implement instead of MUST
> offer).   Clients can advertise support for PKCS-1.5 for backwards
> compatibility in the transition period.
> Please respond on the list on whether you think this is a reasonable way
> forward or not.

I agree with the others that TLS should use exclusively RSA-PSS (with all
the parameters fixed according to the digest function used to digest the
data) when RSA is used in the protocol. Implementations that can't support
PSS in hardware can either implement it in software or use ECDSA or keep on
using TLS 1.2.