On Fri, 2017-01-20 at 17:43 +0000, Dr Stephen Henson wrote: > Additionally PSS signatures (see RFC4055) can be used with RSA keys > (rsaEncryption OID) and RSA-PSS only keys (id-RSASSA-PSS OID). Does > the RSASSA-PSS mean that both types must be accepted?
That's a quite interesting finding. Although that protocol behavior seems to ease transition to RSASSA-PSS, it also paves the field for new cross protocol attacks. A server which can sign with either of RSASSA- PSS and RSA-PKCS1 and the same key is certainly less secure than a server which can sign with either of them. The only way to enforce that a key is restricted is by requiring the id-RSASSA-PSS OID for RSASSA- PSS. regards, Nikos _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
