Re: [TLS] RSA-PSS in TLS 1.3

[Andrey Jivsov <crypto@brainhub.org>]

On 02/29/2016 09:32 AM, Joseph Salowey wrote:
 > We seem to have good consensus on moving to RSA-PSS and away from
 > PKCS-1.5 in TLS 1.3.  However, there is a problem that it may take some
 > hardware implementations some time to move to RSA-PSS.  After an off
 > list discussion with a few folks here is a proposal for moving forward.
 >
 > We make RSA-PSS mandatory to implement (MUST implement instead of MUST
 > offer).   Clients can advertise support for PKCS-1.5 for backwards
 > compatibility in the transition period.
 > Please respond on the list on whether you think this is a reasonable way
 > forward or not.

I think that supporting PKCS1.5 fallback is the right thing to do for 
wider adoption of TLS 1.3, as specified above.

PKCS #1.5 is allowed by 
https://tools.ietf.org/html/draft-ietf-tls-tls13-11#section-6.3.2.1 in 
X.509 certificates. X.509 certificate chain is a part of TLS handshake. 
The above proposal is about not restricting one type of signature, the 
end-entity signature, to PSS. This applies to client authentication, 
server authentication, or both.

Without a generous advance warning about PKCS#1.5 removal by TLS 1.3, we 
have to deal with already deployed hardware. Had vendors and customers 
knew that TLS 1.3 will remove PKCS #1.5, we probably would have ended up 
with more PSS-friendly Internet. Even now PKCS#1.5 is allowed by FIPS 
140, Common Criteria, and in CA certificates in TLS 1.3, and earlier TLS.

The WG can chose to remove PSS from one type of signature in TLS1.3. 
This will result in affected implementations capping negotiation at TLS 
1.2. There is no other fix in some cases.

For more details: 
https://www.ietf.org/mail-archive/web/tls/current/msg19096.html

(I posted earlier, but don't see the message. Sending this one more 
time, slightly edited)