On 18/02/2017 02:31, Dr Stephen Henson wrote: > > Does this apply to RSASSA-PSS (RSA-PSS signing only) keys in end entity > certificates too? > > For example could a TLS 1.2 server legally present a certificate containing an > RSASSA-PSS key for an appropriate ciphersuite? Similarly could a client > present > a certificate contain an RSASSA-PSS key? >
I can't recall getting a definitive answer to this. IMHO we should make the requirements clear in the spec otherwise we could get interop issues. Based on the opinions stated in this thread that would be: 1. When PSS signatures appear certificates, MGF digest and signing digest MUST match and the salt length must equal the digest length. 2. Indicate that the PSS only (id-RSASSA-PSS) and RSA (rsaEncryption) keys MUST be supported both as server keys and CA keys in certificates. 3. PSS only keys MUST be supported for TLS 1.2 also. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.co.uk/ Email: shen...@drh-consultancy.co.uk, PGP key: via homepage. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
