[TLS] PSS for TLS 1.3

Eric Rescorla <ekr@rtfm.com> Sun, 22 March 2015 22:10 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 035A31A3B9C for <tls@ietfa.amsl.com>; Sun, 22 Mar 2015 15:10:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6wTMZGTVsPHj for <tls@ietfa.amsl.com>; Sun, 22 Mar 2015 15:10:13 -0700 (PDT)
Received: from mail-we0-f172.google.com (mail-we0-f172.google.com [74.125.82.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E406A1A1BCD for <tls@ietf.org>; Sun, 22 Mar 2015 15:10:12 -0700 (PDT)
Received: by wegp1 with SMTP id p1so123667313weg.1 for <tls@ietf.org>; Sun, 22 Mar 2015 15:10:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=URGedTMZrLyjqYBoNrehviqj1ZXRXH9R98AWAS9OTuk=; b=S0kZmRRq+2PULqXbukugOOrWPk02rP5741wZuVJSF6PsUrMlI62xAptIh3gi55KRtC ZrQ1mXUfDHNnUYR1pPt6IcO+0QdaOsvK78iH+HsetIkaVHcGvHi7UGb7wrMPnn24sEkl xl4IAXGZ1wpmYNK2KXI28ysDzbzNpS8U0pPYxKSQztzjjAJTTtljoT64WHZtOiPElpg3 WySW1sG9kI80o2iwg+1oVYNUgM8UPzcNoJgxjybDTtpf2e5ouRPW+2LT9gaatkS9rtQG jRidj6tRRsc7S83cnQmPzMkzAetrK3UMKvSn5xnNnj4/LPTsZw+G3XAB+fIKzACHUVqG 6cbw==
X-Gm-Message-State: ALoCoQmy2abXyWLAzeH6FdSesM4CfFyeviN1bWdrliY/7KeuVrA4ug+3vpFBDrk6kh6qnyIrEYhp
X-Received: by 10.194.108.9 with SMTP id hg9mr183045760wjb.68.1427062211727; Sun, 22 Mar 2015 15:10:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.205.198 with HTTP; Sun, 22 Mar 2015 15:09:31 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 22 Mar 2015 15:09:31 -0700
Message-ID: <CABcZeBOeoyggJfma8rvyeRrh6Dw+oSp5P-oUG0MR3ZprBOyUPQ@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary=047d7bf10b1c33eefd0511e7d075
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/qSyxK_TPyzTPYPkGQtJbfW3rweQ>
Subject: [TLS] PSS for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Mar 2015 22:10:15 -0000

During the interim we discussed discussion about adopting PSS for
RSA signatures in TLS 1.3.

Clearly, we will not be able to just adopt PSS because certificates
will continue to be signed with PKCS#1 1.5. However, we could adopt
PSS for signatures outside of the certificate context. Roughly
speaking, we have three options:

1. Do not adopt PSS.
2. Adopt PSS as the only signature format for non-certificate
   signatures (but require acceptance of PKCS#1 1.5 for
   certificates)
3. Negotiate the use of PSS versus PKCS#1 1.5

Obviously, if we want to move to PSS, option #2 is simplest, but
the sentiment at the interim was to survey the WG to see whether
there was widespread enough support for generating and verifying
PSS to make this feasible [0].

Please use this thread to discuss.

-Ekr

[0] FWIW, this doesn't appear to be a problem for NSS.