Joseph Salowey <j...@salowey.net> wrote: > We seem to have good consensus on moving to RSA-PSS and away from PKCS-1.5 > in TLS 1.3. However, there is a problem that it may take some hardware > implementations some time to move to RSA-PSS. After an off list discussion > with a few folks here is a proposal for moving forward. > > We make RSA-PSS mandatory to implement (MUST implement instead of MUST > offer). Clients can advertise support for PKCS-1.5 for backwards > compatibility in the transition period. > Please respond on the list on whether you think this is a reasonable way > forward or not. >
I agree with the others that TLS should use exclusively RSA-PSS (with all the parameters fixed according to the digest function used to digest the data) when RSA is used in the protocol. Implementations that can't support PSS in hardware can either implement it in software or use ECDSA or keep on using TLS 1.2. Cheers, Brian -- https://briansmith.org/
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
