On Fri, Jan 20, 2017 at 11:29 AM, Brian Smith <br...@briansmith.org> wrote: > RSA PSS with a zero-length salt is a deterministic, > subliminal-channel-free signature scheme. It is one of the few > signature schemes that structurally prevent an HSM from directly > leaking (parts of) the private key in an undetectable way.
Brian's disowned recommendation in the TLS 1.3 draft matches what I suggest for PSS signatures: * Salt length is the length of the hash function. * MGF1 hash function is the same as the message hash function. * The trailer field has the default value. (I like Brian's idea, but I hate options, so I'm torn here.) Certificates that don't match that format are at risk of not working in Google products because we hate excessive options. (We'll see, practically speaking, much we have to bend on that point, as always) Cheers AGL _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
