Hanno Böck wrote: > Joseph Salowey <j...@salowey.net> wrote: >> >> We make RSA-PSS mandatory to implement (MUST implement instead of MUST >> offer). Clients can advertise support for PKCS-1.5 for backwards >> compatibility in the transition period. >> Please respond on the list on whether you think this is a reasonable >> way forward or not. > > I recently already saw the message here asking for PKCS #1 1.5 > compatibilty and was quite angry about it, but as there wasn't much > discussion I thought this issue would go away. It seems it did not. > > RSA-PSS was specified as RFC 3447 in 2003. That was 13 years ago.
RSA-PSS signatures are crap, and they're pretty close to useless. What should have adopted for TLSv1.2 already, however, is the less forgiving PKCS#1 v1.5 signature check, that re-creates the encoding and then compares the recreated inner encoding with the RSA-decrypted encoding only. Get rid of the de-padding and get rid of the ASN.1 decoding of the contents. This is also the recommended fashion for PKCS#1 v1.5 signature verification in rfc3447. The *huge* advantage of PKCS#1 v1.5 signatures over RSA-PSS and ECDSA signatures is that one can clearly distinguish "wrong public key" from "signature does not fit plaintext" errors, and loosing this capability makes certain kinds of programming goofs (plus a few admin configuration goofs) much harder to distinguish from data corruption during transfer. XMLdsig and XML canonicalization is another source of endless fun, where being able to distinguish these causes for signature verification failure facilitates troubleshooting. Signature verification itself is a public key operation, so RSA-PSS is a wholly different beast than RSA-OAEP. -Martin _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
