Re: [TLS] SHA-3 in SignatureScheme

Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 07 September 2016 08:25 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FA0B12B525 for <tls@ietfa.amsl.com>; Wed, 7 Sep 2016 01:25:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.408
X-Spam-Level:
X-Spam-Status: No, score=-3.408 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.508] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kym0b0svr9X9 for <tls@ietfa.amsl.com>; Wed, 7 Sep 2016 01:25:00 -0700 (PDT)
Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) by ietfa.amsl.com (Postfix) with ESMTP id 6F4BC12B52C for <tls@ietf.org>; Wed, 7 Sep 2016 01:25:00 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id B897814F24 for <tls@ietf.org>; Wed, 7 Sep 2016 11:24:59 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id sQeXIpjfGDva for <tls@ietf.org>; Wed, 7 Sep 2016 11:24:59 +0300 (EEST)
Received: from LK-Perkele-V2 (87-100-237-87.bb.dnainternet.fi [87.100.237.87]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 8FC03C4 for <tls@ietf.org>; Wed, 7 Sep 2016 11:24:59 +0300 (EEST)
Date: Wed, 7 Sep 2016 11:24:58 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: tls@ietf.org
Message-ID: <20160907082458.tksyrmm3bhwic4tj@LK-Perkele-V2.elisa-laajakaista.fi>
References: <7755682.Cma8FBTrvx@pintsize.usersys.redhat.com> <57CEACE4.2090900@st.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <57CEACE4.2090900@st.com>
User-Agent: NeoMutt/ (1.7.0)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/t6rgzt00PeAEpDlI4Yagz2WMsBQ>
Subject: Re: [TLS] SHA-3 in SignatureScheme
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Sep 2016 08:25:02 -0000

On Tue, Sep 06, 2016 at 01:47:48PM +0200, Gilles Van Assche wrote:
> Hello,
> 
> For RSA PSS, I would suggest to consider:
> rsa_pss_shake128
> rsa_pss_shake256
> where SHAKE128 (or 256), as an exendable output function (XOF), directly
> replaces the mask generating function MGF.
> 
> This would make RSA PSS simpler and more efficient.

Well, my opinion on this thing still is:

- There is no real sense of urgent concern about SHA-2.
- This was not true with MD5/SHA-1 when TLS 1.2 was designed. There
  definitely was urgent concern.
- Therefore a few month delay for a separate spec is not a major issue.
- Delaying TLS 1.3 for that would be a major issue.
- TLS 1.3 has sufficient hooks to add this later (if you disagree,
  speak up, because it would be a major flaw).
- I don't expect people to implement stuff just because it is in TLS 1.3
  spec (but we shouldn't put crap there in case they do), so the
  "visibility loss" would be pretty minimal.


Therefore I think that this work should be pursued in a separate spec,
not in TLS 1.3 core.


-Ilari