On 01/03/16 19:20, Yoav Nir wrote:
On 1 Mar 2016, at 8:23 PM, Alyssa Rowan <a...@akr.io> wrote:
<snip>
When a CA issues a certificate it has to work with every client
and server out there,
That doesn't have to be true. For example, many OpenSSL-based servers
can be configured to serve an ECC certificate to TLS clients that
indicate support for ECC, and to serve an RSA certificate to other TLS
clients.
When we use TLS 1.3, the other side supports
TLS 1.3 as well, so it’s fair to assume that it knows PSS.
Perhaps the PKIX working group and CAB/Forum could both use a friendly
reminder not to ignore how perilous using RSA PKCS#1 v1.5 still remains?
+1
Neither you nor I can post in any of the CA/Browser forum’s lists, because
neither of us has either a browser or a public CA.
There are some people who are active there and are reading this list, so they
might take such a proposal there. I’m not very optimistic, though.
Please don't give up without even trying!
If you have a proposal, I'd be happy to post it to the
pub...@cabforum.org list on your behalf.
Alternatively, you could post it to the questi...@cabforum.org list
yourself.
<snip>
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
