On 02/29/2016 02:36 PM, Hanno Böck wrote:
We have an RFC for PSS since 2003. We had several attacks showing the weakness of PKCS #1 1.5.
In the face of such danger, what's your opinion on PKCS #1.5 signatures being perfectly fine in TLS 1.3 ? I refer to signatures in X.509 certs in the latest https://tools.ietf.org/html/draft-ietf-tls-tls13-11.
Why not ban PKCS #1.5 altogether from TLS 1.3? It will not only make TLS 1.3 more secure, but code simpler and footprint smaller. Besides, it's reasonable: TLS 1.2 already allows PSS in X.509 certs.
You are arguing for the benefit of suddenly mandating a steel door on a grass hut. Joseph Salowey's proposal gives an option for the door, consistent with how TLS 1.2 does this for X.509 certs.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
