On 2017-04-05 16:50, Mukund Sivaraman wrote: >> Also, it is weird that a draft that is about having a fallback if a hash >> algorithm becomes weakened uses the RSASSA-PKCS1-v1_5 signature scheme, >> given that PKCS1 1.5 is already known to be weakened. > > It was to allow simple addition of the algorithm to existing > implementations. However, in light of your comment, we'll discuss > revising it. >
We can certainly discuss alternative schemes, RSASSA-PSS is a potential alternative, which I understand is considered (much?) better. It has a big drawback though, in that it requires salt, which can be a big issue for large deployments. An advantage would be that then we not only have an alternative within the RSA family for SHA2, but also for the signature scheme itself. Speaking of the use-case to pick up this work; IMO having more cryptographic algorithms ready for use is generally a good thing; we don't have to wait until the existing ones are completely broken :) Jelte
signature.asc
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
