On Sun, Jul 24, 2016 at 11:45:48AM +0200, Martin Thomson wrote: > David Benjamin noted that we really need to decide whether PSS was > something that we should have supported in TLS 1.2. We can't have a > situation where there are two implementations of 1.3 that for some > reason have 1.3 disabled where they disagree whether PSS is > acceptable.
My arguing about support for new signature algorithms predated the crypto negotiation revamp. Back then, one had to assign legacy type for each TLS 1.3-valid end-entity signature scheme, which for all practical purposes makes it work in TLS 1.2. However, since the revamped mechanism entierely dumps legacy types, it could be possible to have legacy-untyped signatures, which definitely are not allowed in TLS 1.2 (one could even assign legacy type post-hoc, which would make it legal for TLS 1.2, but would not affect TLS 1.3 in any way). However, it is separate matter if backport would make sense for other reasons... > I have opened a PR that makes it clear that PSS is defined for TLS 1.2. The legacy type of RSA-PSS is RSA, right? -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
