On 05/29/2018 06:17 PM, Martin Thomson wrote: > On Wed, May 30, 2018 at 7:20 AM Andrey Jivsov <cry...@brainhub.org> wrote: >> The issue here is that some hardware devices don't implement RSA CRT >> method with PSS, because they hard-wide RSA, legacy padding, and CRT >> method in one operation. RSA PSS can still be done, but only via a >> general modexp operation, which will be ~2x shower. Therefore, in these >> scenarios PSS incurs 2x performance penalty. > > I'm fairly certain that we've had this discussion before. What is new? >
The quoted text quoted is old. The need to upgrade TLS 1.2 code if I support TLS 1.3 is new. I am curious about the scenarios when is this upgrade of TLS 1.2 to PSS will take place? - This upgrade of TLS 1.2 can only be done by servers that support TLS 1.3. - TLS 1.2 clients won't advertise TLS 1.3 Signature Algorithm IDs; only TLS 1.3 clients will have e.g. rsa_pss_rsae_sha256 and others in signature_algorithms. Therefore, TLS 1.3 should get negotiated between these peers. The relevant paragraph from the TLS 1.3 draft seems to add uncertainty in unexplained cases when TLS 1.3 server decides to drop the negotiated version to TLS 1.2. What problem does this paragraph try to solve? _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
