> On 8 Feb 2017, at 21:34, Timothy Jackson <tjack...@mobileiron.com> wrote: > > I have a question on RFC5246 (TLS 1.2) and how it’s going to interact with > RSASSA-PSS as we roll out TLS 1.3. Does the prohibition against RSASSA-PSS > apply only to the signatures that can be used for signing handshakes or does > it apply to the entire certificate chain as well? I ask because while I think > the latter may have been the intent I have not found anything that indicates > the former is not actually what the RFCs require. > > The relevant section of RFC4056 reads: > > 7.4.2 Server Certificate > … > Note that there are certificates that use algorithms and/or algorithm > combinations that cannot be currently used with TLS. For example, a > certificate with RSASSA-PSS signature key (id-RSASSA-PSS OID in > SubjectPublicKeyInfo) cannot be used because TLS defines no > corresponding signature algorithm. > > I don’t see anything here that restricts which signatures can be used on the > certificates themselves. Is that accurate?
No. A few paragraphs up: If the client provided a "signature_algorithms" extension, then all certificates provided by the server MUST be signed by a hash/signature algorithm pair that appears in that extension. And it doesn’t help if the client does not provide the extension. The extension can restrict from among the set of supported algorithms, Its absence does not allow undefined algorithms. Yoav
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
