Re: [TLS] TLS RSA-PSS and various versions of TLS
Dr Stephen Henson <lists@drh-consultancy.co.uk> Wed, 26 April 2017 14:16 UTC
Return-Path: <lists@drh-consultancy.co.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 620DD12EB82 for <tls@ietfa.amsl.com>; Wed, 26 Apr 2017 07:16:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.59
X-Spam-Level:
X-Spam-Status: No, score=-2.59 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, T_HK_NAME_DR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7CepUqkSWgSw for <tls@ietfa.amsl.com>; Wed, 26 Apr 2017 07:16:47 -0700 (PDT)
Received: from claranet-outbound-smtp07.uk.clara.net (claranet-outbound-smtp07.uk.clara.net [195.8.89.40]) by ietfa.amsl.com (Postfix) with ESMTP id 4F5EB12EB8C for <tls@ietf.org>; Wed, 26 Apr 2017 07:10:38 -0700 (PDT)
Received: from host86-133-145-70.range86-133.btcentralplus.com ([86.133.145.70]:24561 helo=[192.168.1.64]) by relay07.mail.eu.clara.net (relay.clara.net [81.171.239.37]:10465) with esmtpa (authdaemon_plain:drh) id 1d3NeJ-0006Wn-Mv (return-path <lists@drh-consultancy.co.uk>); Wed, 26 Apr 2017 14:10:33 +0000
To: Ilari Liusvaara <ilariliusvaara@welho.com>, Martin Rex <mrex@sap.com>
References: <926e3b6b-5f0c-e00a-5ba3-9a2cfcdc4e8f@drh-consultancy.co.uk> <20170426132358.06FA71A698@ld9781.wdf.sap.corp> <20170426134140.GA29859@LK-Perkele-V2.elisa-laajakaista.fi>
Cc: tls@ietf.org
From: Dr Stephen Henson <lists@drh-consultancy.co.uk>
Message-ID: <b0a94575-c6d0-820e-9c15-124e06752177@drh-consultancy.co.uk>
Date: Wed, 26 Apr 2017 15:10:27 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <20170426134140.GA29859@LK-Perkele-V2.elisa-laajakaista.fi>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/mnO5U4XdgNbGe6HzXhdE_b_AEg4>
Subject: Re: [TLS] TLS RSA-PSS and various versions of TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Apr 2017 14:16:54 -0000
On 26/04/2017 14:41, Ilari Liusvaara wrote: > On Wed, Apr 26, 2017 at 03:23:57PM +0200, Martin Rex wrote: >> >> The issue with RSA-PSS digital signatures is that they were defined >> with additional (unnecessary) parameters that are encoded (=hidden) in the >> ASN.1 AlgorithmIdentifier, and that are therefore unspecified when >> RSA-PSS is requested as (rsa-pss,sha-256) rather than with an ASN.1 >> AlgorithmIdentifier. > > TLS 1.3 specifies what values those parameters have for various > SignatureSchemes. > >> The additional, unnecessary parameters are "saltLen" and >> "MaskGenerationFunction" (MGF), and the commonly-used MaskGenerationFunction >> (mgf1) adds yet another additional, unnecessary parameter (MGF-internal hash). > > Also specified. > For TLS message signatures yes. For signatures on certificates I think it is far less clear. For salt lengths the spec says: "When used in signed TLS handshake messages, the length of the salt MUST be equal to the length of the digest output." It says nothing about salt length restrictions (if any) on certificates. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.co.uk/ Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.
- Re: [TLS] TLS RSA-PSS and various versions of TLS Dr Stephen Henson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Dr Stephen Henson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Benjamin Kaduk
- Re: [TLS] TLS RSA-PSS and various versions of TLS Dr Stephen Henson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Ilari Liusvaara
- Re: [TLS] TLS RSA-PSS and various versions of TLS Martin Rex
- [TLS] TLS RSA-PSS and various versions of TLS Timothy Jackson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Yoav Nir
- Re: [TLS] TLS RSA-PSS and various versions of TLS Martin Thomson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Ilari Liusvaara
- Re: [TLS] TLS RSA-PSS and various versions of TLS Martin Thomson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Dr Stephen Henson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Martin Thomson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Dr Stephen Henson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Viktor Dukhovni
- Re: [TLS] TLS RSA-PSS and various versions of TLS Dr Stephen Henson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Ilari Liusvaara
- Re: [TLS] TLS RSA-PSS and various versions of TLS Martin Thomson
- Re: [TLS] TLS RSA-PSS and various versions of TLS Hubert Kario