On 02/29/2016 09:32 AM, Joseph Salowey wrote:
We seem to have good consensus on moving to RSA-PSS and away from
PKCS-1.5 in TLS 1.3. However, there is a problem that it may take
some hardware implementations some time to move to RSA-PSS. After an
off list discussion with a few folks here is a proposal for moving
forward.
We make RSA-PSS mandatory to implement (MUST implement instead of MUST
offer). Clients can advertise support for PKCS-1.5 for backwards
compatibility in the transition period.
Please respond on the list on whether you think this is a reasonable
way forward or not.
I think that supporting PKCS1.5 fallback is the right thing to do for
faster adoption of TLS 1.3, as specified above.
PKCS #1.5 is allowed by
https://tools.ietf.org/html/draft-ietf-tls-tls13-11#section-6.3.2.1 in
X.509 certificates. X.509 certificate chain is a part of TLS handshake.
The above proposal is about not restricting one type of signature, the
end-entity signature, to PSS. This applies to client authentication,
server authentication, or both.
Without a generous advance warning about PKCS#1.5 removal by TLS 1.3, we
have to deal with already deployed hardware. Had vendors and customers
knew that TLS 1.3 will remove PKCS #1.5, we probably would have ended up
with more PSS-friendly Internet. PKCS#1.5 is still fine for FIPS 140,
Common Criteria, and in CA certificates in TLS 1.3.
The WG can chose to remove PSS from one type of signature in TLS1.3. The
affected implementations will need to cap negotiation at TLS 1.2.
For more details:
https://www.ietf.org/mail-archive/web/tls/current/msg19096.html
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
