> PKCS #1 1.5 is a real problem. The last PKCS #1 1.5 signature related > vuln that could've been prevented by using RSA-PSS was found 2 months > ago [1]. The last one in a major implementation (BERserk) was in 2014. > > tl;dr: I don't think supporting PKCS #1 1.5 in TLS 1.3 is reasonable. > Let's not repeat the mistakes from the past.
I agree, we started 1.3 by removing old and deprecated stuff. We should not allow it now and risk weakening our work... B. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
