Hi Martin,
thanks for your feedback. I have discussed the topic with my co-worker
Manuel.
Another way of seeing the use of the hash by the client is to help the
server to select the pick certificate (or other cached data). It does
not have a security purpose as such, it is only a way to prevent t
Hi Hannes,
I've followed a similar chain of thought myself. I think that the
right answer here is similar to what you describe: the security of TLS
does not depend on the presence of the certificate at all, rather it
depends on the use of a private key that the client trusts. That most
clients r
https://github.com/tlswg/tls13-spec/pull/239
Based on the WG discussion, I've created a PR for adding support for PSS.
The basic tactic I took is:
- All in-protocol RSA signatures (i.e., in CertificateVerify) are PSS
- You must use MGF1 with the same hash as you used for the content.
- I added a
This text appears in two places (lines 3026 and 3180)
+Only RSA signatures based on RSASSA-PSS MAY be used, regardless of whether
+RSASSA-PKCS-v1_5 appears in "signature_algorithms".
I think it would be better to say:
+RSA signatures MUST be based on RSASSA-PSS, regardless of whether
+RSASSA-PKC
