On Wed, 2017-11-22 at 12:15 +0000, Peter Wu wrote: > Hi Nikos, > > On Wed, Nov 22, 2017 at 09:42:04AM +0100, Nikos Mavrogiannopoulos > wrote: > > On Wed, 2017-11-22 at 03:54 +0000, Peter Wu wrote: > > > Hi, > > > > > > At the moment there is still ambiguity in the requirements for > > > PSS > > > with > > > relation to certificates. Proposal to clarify this: > > > https://github.com/tlswg/tls13-spec/pull/1098 > > > > > > > > > This PR intends to clarify the requirements for PSS support. > > > > Hi, > > I commented on the PR, but to provide more context. I believe RSA- > > PSS > > keys without parameters MUST be supported under TLS1.3. The reason > > is > > that keys explicitly marked as RSA-PSS cannot be used for RSA > > PKCS#1 > > 1.5 encryption, and thus they provide a way for the server to know > > that > > it must protect that key against (cross-protocol) attacks which > > utilize > > RSA ciphersuites under TLS1.2. > > > > On why you don't want mixing keys for TLS1.3 and TLS1.2 RSA > > ciphersuites, see all the bleichenbacher attack reiterations over > > the > > years. > > > > So what about distinguishing the RSA-PSS keys with and without > > parameters: > > > > "an RSASSA-PSS public key (OID id-RSASSA-PSS) without parameters > > MUST > > be supported, while an RSASSA-PSS public key (OID id-RSASSA-PSS) > > with > > parameters MAY be supported`." > > In my understanding, the parameters are REQUIRED (cannot be NULL), > but > an "empty" DER encoding means that the default parameters are used > (SHA-1, MFG1 with SHA-1, salt length equal to SHA-1 output (20), > default > trailer) per https://tools.ietf.org/html/rfc8017#page-75
That's not what the DEFAULT keyword means in ASN.1. My understanding is that the default value applies when there is a sequence without that value present, not when the sequence is not there at all. Nevertheless, irrespective of that interpreation, for TLS1.3 an empty DER encoding means nothing of that as these parameters are negotiated over TLS (e.g, rsa_pss_sha256). See: https://tools.ietf.org/html/draft-ietf-tls-tls13-21#section-4.2.3 On whether empty parameters are allowed on RSA-PSS certificates, RFC4055 is clear on that: "CAs MAY require that the parameters be present in the publicKeyAlgorithms field for end-entity certificates." https://tools.ietf.org/html/rfc4055#section-3 regards, Nikos _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
