Re: [TLS] RSA-PSS in TLS 1.3

Andrey Jivsov <crypto@brainhub.org> Mon, 29 February 2016 20:38 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FDA01B3BB2 for <tls@ietfa.amsl.com>; Mon, 29 Feb 2016 12:38:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AxyCaefyIFe9 for <tls@ietfa.amsl.com>; Mon, 29 Feb 2016 12:38:06 -0800 (PST)
Received: from resqmta-po-04v.sys.comcast.net (resqmta-po-04v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:163]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF48F1B3BB0 for <tls@ietf.org>; Mon, 29 Feb 2016 12:38:06 -0800 (PST)
Received: from resomta-po-05v.sys.comcast.net ([96.114.154.229]) by resqmta-po-04v.sys.comcast.net with comcast id QLd81s0024xDoy801Le64x; Mon, 29 Feb 2016 20:38:06 +0000
Received: from [10.65.229.79] ([68.177.129.79]) by resomta-po-05v.sys.comcast.net with comcast id QLbx1s00D1ivTfo01Lbz9V; Mon, 29 Feb 2016 20:36:04 +0000
To: tls@ietf.org
References: <CAOgPGoD=AAFDUXN8VkOHwTMEUm+-qi548NsicoD=1yQKSu-sng@mail.gmail.com>
From: Andrey Jivsov <crypto@brainhub.org>
Message-ID: <56D4ABAD.90902@brainhub.org>
Date: Mon, 29 Feb 2016 12:35:57 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
MIME-Version: 1.0
In-Reply-To: <CAOgPGoD=AAFDUXN8VkOHwTMEUm+-qi548NsicoD=1yQKSu-sng@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1456778286; bh=jqtsPAR5LVX5k4OJtk0abTceIa9i1Gqn1yvas51xINA=; h=Received:Received:Subject:To:From:Message-ID:Date:MIME-Version: Content-Type; b=ahk94PSxKVb2MYL7CPOPsgYXrSFw5hLMraQ1/zag+YVf5bB+2SvfhQuMeEdoxP3Qk Bcqme4jIE109R2Y0HVpr9xBzz5ehSmYanXl0JGbn6kUjFA1+BVO+UtLBtLsg3N6og+ 9+svDoAPyad6fp7EfCWoQpb38RB0RRIamSc0MTE2Q2AcppX/6LDcx7y9l0alUQxLOm TbuRktg+bEkGxxJzADCDSx3x1crTnNBgIdCH/nZ+KgThrP1NmlkgsunlmMsKQQLQus PCOawieImmsTSffcfIxSFsTd+yHOdQj+gTcPgjPRKOCcJjTazEA1+9VLcXssD7tWYj zInNmvvJ6bBHg==
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/v4hF7wZPGCUzprTjzw8a8PDxCXQ>
Subject: Re: [TLS] RSA-PSS in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Feb 2016 20:38:12 -0000

On 02/29/2016 09:32 AM, Joseph Salowey wrote:
 > We seem to have good consensus on moving to RSA-PSS and away from
 > PKCS-1.5 in TLS 1.3.  However, there is a problem that it may take some
 > hardware implementations some time to move to RSA-PSS.  After an off
 > list discussion with a few folks here is a proposal for moving forward.
 >
 > We make RSA-PSS mandatory to implement (MUST implement instead of MUST
 > offer).   Clients can advertise support for PKCS-1.5 for backwards
 > compatibility in the transition period.
 > Please respond on the list on whether you think this is a reasonable way
 > forward or not.

I think that supporting PKCS1.5 fallback is the right thing to do for 
wider adoption of TLS 1.3, as specified above.

PKCS #1.5 is allowed by 
https://tools.ietf.org/html/draft-ietf-tls-tls13-11#section-6.3.2.1 in 
X.509 certificates. X.509 certificate chain is a part of TLS handshake. 
The above proposal is about not restricting one type of signature, the 
end-entity signature, to PSS. This applies to client authentication, 
server authentication, or both.

Without a generous advance warning about PKCS#1.5 removal by TLS 1.3, we 
have to deal with already deployed hardware. Had vendors and customers 
knew that TLS 1.3 will remove PKCS #1.5, we probably would have ended up 
with more PSS-friendly Internet. Even now PKCS#1.5 is allowed by FIPS 
140, Common Criteria, and in CA certificates in TLS 1.3, and earlier TLS.

The WG can chose to remove PSS from one type of signature in TLS1.3. 
This will result in affected implementations capping negotiation at TLS 
1.2. There is no other fix in some cases.

For more details: 
https://www.ietf.org/mail-archive/web/tls/current/msg19096.html

(I posted earlier, but don't see the message. Sending this one more 
time, slightly edited)