Re: [TLS] RSA-PSS in TLS 1.3

Martin Thomson <> Tue, 01 March 2016 04:56 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 569321ACD35 for <>; Mon, 29 Feb 2016 20:56:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id eRrNw2cajS4c for <>; Mon, 29 Feb 2016 20:56:54 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4001:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 344381ACD2E for <>; Mon, 29 Feb 2016 20:56:54 -0800 (PST)
Received: by with SMTP id g203so210905358iof.2 for <>; Mon, 29 Feb 2016 20:56:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=u4UrA1xB1NjQWZ0ZQti0w8JtfqsUV9B/o486GKt2Q0w=; b=rHHMp1tASDjjxgDoKNuibIFihyEwSszh03WpdqvkwV66eOxvdPkh0EfaU2bDCXUbd+ HgiD+HuJrYp39Z+FuY2qGdDuJ0jgCBdeJOaYXpBf6zVOQvP7uJnms+hx0vY0LvWbXsWC EllHy5/Eob/aoYvbXdaWvWLvgQxM1ul9wxAK9I9qC1f+0oUVmEbcdxT8BRFj1tspqBLw 0sow68bYVujrD9T7agYym9D79b+xZ56kU8Ioait2We671pKeyYaFywrvV5Ubd3jGoCrW eUk507VD6ej5MPMEgseZqN1NDnBU8p+OBdIYa0osvy72l2Ncs5Qw9CUKcMkrX68W7wMZ cWqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=u4UrA1xB1NjQWZ0ZQti0w8JtfqsUV9B/o486GKt2Q0w=; b=Q5RBLkgufV2CFXC0KzsG9DZapg8LbLbiNAZ6RiO5XzelpEuS9Cb63CJhyuC+4eoham HdZUsQuJDItfBrSgSY/YOA1xC8p6J4mMUaYX6+fOZV7PZQo/cZqxvU4kvq0hR4Hb7HPl Wi8oDxjdDVIIeW6aApmVq6+lxRXup4EgGxBI7er/bhJPQ3lvSN1o0yrY8lD1zBqA2dfn 3u6IfW4Nk76msrQ9g1DRQVFzX+R58Ll7aK1YcQAqQbELKITa6f7ZdUxfrDwxXe7Ibnva JcEkcQk+Ccnn1gGtBhws78zNJX44Wsxcd8oSIXs8F9rmcCcRWVdyculDSgCXdHIqNYHY slFA==
X-Gm-Message-State: AG10YORcQoqPJ0Jh5ZSF771xd85xLD95IbtEALWaClRwVYE72FlC2YhOPSUDtVRgSJi2+ZTGfwU1tOq+0aaByg==
MIME-Version: 1.0
X-Received: by with SMTP id f27mr24252945iod.190.1456808213623; Mon, 29 Feb 2016 20:56:53 -0800 (PST)
Received: by with HTTP; Mon, 29 Feb 2016 20:56:53 -0800 (PST)
In-Reply-To: <>
References: <>
Date: Tue, 1 Mar 2016 15:56:53 +1100
Message-ID: <>
From: Martin Thomson <>
To: Joseph Salowey <>
Content-Type: text/plain; charset=UTF-8
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] RSA-PSS in TLS 1.3
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 01 Mar 2016 04:56:55 -0000

On 1 March 2016 at 04:32, Joseph Salowey <> wrote:
> We make RSA-PSS mandatory to implement (MUST implement instead of MUST
> offer).   Clients can advertise support for PKCS-1.5 for backwards
> compatibility in the transition period.

>From my perspective, this is fine.  I would like to say that we won't
ever support PKCS#1.5 for TLS 1.3, but I think that I would rather
have users on 1.3 with PKCS#1.5 than have them stuck on 1.2.

It seems like others are taking the position that we should say "MUST
NOT use PKCS#1.5".  I would love for that to be the case, but I want
to separate decision path for that, preferably one that is somewhat
under my control.  Once we have information about usage for each
signature scheme, I'll be happy to arrange for another "break the web"