On Tue, May 29, 2018 at 11:57:39AM -0700, Andrey Jivsov wrote:
> Greetings.
>
> TLS 1.3 draft in sec 4.2.3. Signature Algorithms tells that if a client
> wants to negotiate TLS 1.3, it must support an upgraded (and
> incompatible) version of TLS 1.2, the one that changes RFC 5246 to allow
> RSA-PSS in sec. 7.4.1.4.1. Signature Algorithms.
>
> You might recall that the possibility to negotiate between PSS and
> RSASSA-PKCS1-v1_5 in TLS 1.3 handshake, just as it is allowed for X.509
> signatures, was discussed on the mailing list. The WG decision then was
> to hard-wire PSS in the TLS 1.3 handshake.
>
> I don't recall any discussion on going further than this, all the way to
> changing the 10-year old TLS 1.2.
>
> Unfortunately, our products have issues with PSS beyond our control. The
> only solution left to avoid receiving PSS with TLS 1.2 is to never
> negotiate TLS 1.3 as a client. Another solution is insecure fallback,
> but we presently don't do this.
>
> Is my reading of the situation correct? Thank you.
Sounds like it:
RSASSA-PKCS1-v1_5 algorithms Indicates a signature algorithm using
RSASSA-PKCS1-v1_5 [RFC8017] with the corresponding hash algorithm
as defined in [SHS]. These values refer solely to signatures
which appear in certificates (see Section 4.4.2.2) and are not
defined for use in signed TLS handshake messages, although they
MAY appear in "signature_algorithms" and
"signature_algorithms_cert" for backward compatibility with TLS
1.2,
-Ben
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
