Re: [TLS] Is it possible for a client to offer TLS 1.3, but not be forced to support RSA PSS in TLS 1.2?

Andrey Jivsov <crypto@brainhub.org> Wed, 30 May 2018 06:03 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79CD9126DC2 for <tls@ietfa.amsl.com>; Tue, 29 May 2018 23:03:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P-U-eclYCcvP for <tls@ietfa.amsl.com>; Tue, 29 May 2018 23:03:05 -0700 (PDT)
Received: from resqmta-po-11v.sys.comcast.net (resqmta-po-11v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:170]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DBF512EC0C for <tls@ietf.org>; Tue, 29 May 2018 23:03:04 -0700 (PDT)
Received: from resomta-po-13v.sys.comcast.net ([96.114.154.237]) by resqmta-po-11v.sys.comcast.net with ESMTP id NuCOfkntx4BJTNuCOfTKx5; Wed, 30 May 2018 06:03:04 +0000
Received: from [192.168.0.10] ([73.222.32.57]) by resomta-po-13v.sys.comcast.net with ESMTPSA id NuCNfRtsxqDpKNuCNfisoO; Wed, 30 May 2018 06:03:04 +0000
To: Martin Thomson <martin.thomson@gmail.com>
Cc: David Benjamin <davidben@chromium.org>, "<tls@ietf.org>" <tls@ietf.org>
References: <a96fb90a-5533-6fc9-4473-fa2e5d0ac131@brainhub.org> <20180529191319.GJ13834@akamai.com> <2f30d9d5-17a0-4a83-ab2d-bfd399c73fd2@brainhub.org> <20180529194251.GK13834@akamai.com> <50f2f097-d8b0-334d-e1b2-1ea34fff9d29@brainhub.org> <CAF8qwaAZOZs__81Q2zvreM-X-t07G80V-4t1NKgZCWiP5yD-Yg@mail.gmail.com> <d8b6f651-f5ac-a16e-db81-91812e483f72@brainhub.org> <CAF8qwaB_LoPAvz41k0_+FANnrAznzTHE9h4dhq5SKP+mkiL0jg@mail.gmail.com> <7c503b05-1c33-7c94-d79f-b7feb2d8c145@brainhub.org> <CABkgnnXBsNQDebM7R60XzjujX-oXZHQmW6vb1-eiHHun0pTLng@mail.gmail.com> <97d05a8c-3d4e-0ce8-d0d1-7d64a8b4f227@brainhub.org> <CABkgnnWNuqGEkCycqT3QNf=xEYeEoO-H0DZpBH4TFNRsSbfvWw@mail.gmail.com>
From: Andrey Jivsov <crypto@brainhub.org>
Message-ID: <1b87cc44-2329-697d-59b7-829e87b67aef@brainhub.org>
Date: Tue, 29 May 2018 23:03:03 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <CABkgnnWNuqGEkCycqT3QNf=xEYeEoO-H0DZpBH4TFNRsSbfvWw@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-CMAE-Envelope: MS4wfDFcZ9Lj4YjBMiZa0kwlplAwfjoYcr2kYRo5TA+MVo4WPnzVYKr5buW/2BrlPtnC9bsdpY7eHKoa5SBThbMS5EtioDohwbXu8WxKdnl2aJLgBBCjLtEl t1bmXCtDAJAOtpQDi6Fa/bLgjEwIJNVe5bgMthI5fiWO4sZj8+jFua0zKKeqgJ4FV3hoooOx0tqzAOiLOER3qnz4pHH9/X/DXmo8703FxXy7fOn3Sh3DiTFf
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/zWWV8W0A9XvRcam1n-qb1m3gS8A>
Subject: Re: [TLS] Is it possible for a client to offer TLS 1.3, but not be forced to support RSA PSS in TLS 1.2?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 May 2018 06:03:07 -0000

On 05/29/2018 10:13 PM, Martin Thomson wrote:
> On Wed, May 30, 2018 at 2:53 PM Andrey Jivsov <crypto@brainhub.org> wrote:
>> The quoted text quoted is old. The need to upgrade TLS 1.2 code if I
>> support TLS 1.3 is new.
> No, I'm certain we had that discussion too.
>
>> I am curious about the scenarios when is this upgrade of TLS 1.2 to PSS
>> will take place?
> When people deploy TLS 1.3.  Which is happening already.  You can avoid the
> need as a server because a client willing to do TLS 1.2 will probably offer
> RSASSA PKCS#1 v1.5 and you can rely on that being there.  But yeah, clients
> are going to have to suck it up.  Here's the text, which I think is pretty
> clear:
> "
> Implementations that advertise support for RSASSA-PSS (which is mandatory
> in TLS 1.3), MUST be prepared to accept a signature using that scheme even
> when TLS 1.2 is negotiated. "

Correct. That's the single paragraph that I think should not be there.

As I asked in the previous message, what is a scenario when this
paragraph helps? When will we see a fallback to TLS 1.2 AND upgrade of
legacy PKCS#1.5 to PSS (within TLS 1.2)? Why such a server could not
accept TLS 1.3 and use PSS there?