On Wed, 2017-11-22 at 03:54 +0000, Peter Wu wrote: > Hi, > > At the moment there is still ambiguity in the requirements for PSS > with > relation to certificates. Proposal to clarify this: > https://github.com/tlswg/tls13-spec/pull/1098 > > > This PR intends to clarify the requirements for PSS support.
Hi, I commented on the PR, but to provide more context. I believe RSA-PSS keys without parameters MUST be supported under TLS1.3. The reason is that keys explicitly marked as RSA-PSS cannot be used for RSA PKCS#1 1.5 encryption, and thus they provide a way for the server to know that it must protect that key against (cross-protocol) attacks which utilize RSA ciphersuites under TLS1.2. On why you don't want mixing keys for TLS1.3 and TLS1.2 RSA ciphersuites, see all the bleichenbacher attack reiterations over the years. So what about distinguishing the RSA-PSS keys with and without parameters: "an RSASSA-PSS public key (OID id-RSASSA-PSS) without parameters MUST be supported, while an RSASSA-PSS public key (OID id-RSASSA-PSS) with parameters MAY be supported`." regards, Nikos _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
