Re: [TLS] Possible TLS 1.3 erratum

Mon, 19 Jul 2021 05:07:26 -0700 

Ilari Liusvaara <ilariliusva...@welho.com> writes:

>Actually, I think this is quite messy issue:

It certainly is.

>Signature schemes 0x0403, 0x0503 and 0x0603 alias signature algoritm 3 hash
>4, 5 and 6. However, those two things are not the same, because the former
>have curve restriction, but the latter do not.

That and the 25519/448 values are definitely the weirdest of the lot.  In
particular the value 0x03 means P256 when used with SHA256, P384 when used
with SHA384, and P521 when used with SHA512.

>So one algorithm one could use is:
>
>- Handle anything with signature 0-3/224-255 and hash 0-6/224-255 as
>  signature/hash pair.
>- Display schemes 0x0840 and 0x0841 specially.
>- Handle anything else as signature scheme.

I think an easier, meaning with less special cases, way to handle it is for a
TLS 1.2 implementation to treat the values defined in 5246 as { hash,
signature } pairs and for TLS 1.3 and newer implementations to treat all
values as 16-bit cipher suites, combined with a reworking of the definitions,
e.g. to define the "ed25519" suite in terms of the curve and hash algorithm,
not just "Ed25519 and you're supposed to know the rest".

>The reason is that some TLS implementations have very hard time supporting
>RSA-PSS certificates.

But why should the TLS layer care about what OID is used to represent an RSA
key in a certificate?  The signature at the TLS level is either a PSS
signature or it isn't, it doesn't matter which OID is used in the certificate
that carries the key.

More to the point, the TLS layer may have no way to determine which OID is
used in the certificate, it's either an RSA key or not, not "it's an RSA key
with OID A" or "it's an RSA key with OID B".

So I think for bis the text should rename rsa_pss_rsae_xxx to just rsa_pss_xxx
and drop rsa_pss_pss_xxx, which I assume has never been used anyway because I
don't know of any public CA that'll issue a certificate with a PSS OID.

Peter.


_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to