Hi Nikos, On Wed, Nov 22, 2017 at 09:42:04AM +0100, Nikos Mavrogiannopoulos wrote: > On Wed, 2017-11-22 at 03:54 +0000, Peter Wu wrote: > > Hi, > > > > At the moment there is still ambiguity in the requirements for PSS > > with > > relation to certificates. Proposal to clarify this: > > https://github.com/tlswg/tls13-spec/pull/1098 > > > > > > This PR intends to clarify the requirements for PSS support. > > Hi, > I commented on the PR, but to provide more context. I believe RSA-PSS > keys without parameters MUST be supported under TLS1.3. The reason is > that keys explicitly marked as RSA-PSS cannot be used for RSA PKCS#1 > 1.5 encryption, and thus they provide a way for the server to know that > it must protect that key against (cross-protocol) attacks which utilize > RSA ciphersuites under TLS1.2. > > On why you don't want mixing keys for TLS1.3 and TLS1.2 RSA > ciphersuites, see all the bleichenbacher attack reiterations over the > years. > > So what about distinguishing the RSA-PSS keys with and without > parameters: > > "an RSASSA-PSS public key (OID id-RSASSA-PSS) without parameters MUST > be supported, while an RSASSA-PSS public key (OID id-RSASSA-PSS) with > parameters MAY be supported`."
In my understanding, the parameters are REQUIRED (cannot be NULL), but an "empty" DER encoding means that the default parameters are used (SHA-1, MFG1 with SHA-1, salt length equal to SHA-1 output (20), default trailer) per https://tools.ietf.org/html/rfc8017#page-75 Is this restriction what you intended? -- Kind regards, Peter Wu https://lekensteyn.nl _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
