This text appears in two places (lines 3026 and 3180) +Only RSA signatures based on RSASSA-PSS MAY be used, regardless of whether +RSASSA-PKCS-v1_5 appears in "signature_algorithms".
I think it would be better to say: +RSA signatures MUST be based on RSASSA-PSS, regardless of whether +RSASSA-PKCS-v1_5 appears in "signature_algorithms". Russ On Sep 10, 2015, at 4:18 PM, Eric Rescorla wrote: > https://github.com/tlswg/tls13-spec/pull/239 > > Based on the WG discussion, I've created a PR for adding support for PSS. > The basic tactic I took is: > > - All in-protocol RSA signatures (i.e., in CertificateVerify) are PSS > - You must use MGF1 with the same hash as you used for the content. > - I added a rsa_pss SignatureAlgorithm field. > > The impact of this is that endpoints can sunset support for RSASSA-PKCS1 > by omitting it from SignatureAlgorithms. > > Note that I didn't deprecate SHA-1 (something Hanno suggested) but I expect > to in another PR based on WG consensus. > > Please take a look. > > -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
