On Monday, 19 July 2021 14:06:41 CEST, Peter Gutmann wrote:
Ilari Liusvaara <ilariliusva...@welho.com> writes:
Actually, I think this is quite messy issue:
It certainly is.
Signature schemes 0x0403, 0x0503 and 0x0603 alias signature
algoritm 3 hash
4, 5 and 6. However, those two things are not the same, because the former
have curve restriction, but the latter do not.
That and the 25519/448 values are definitely the weirdest of the lot. In
particular the value 0x03 means P256 when used with SHA256, P384 when used
with SHA384, and P521 when used with SHA512.
So one algorithm one could use is:
- Handle anything with signature 0-3/224-255 and hash 0-6/224-255 as
signature/hash pair.
- Display schemes 0x0840 and 0x0841 specially.
- Handle anything else as signature scheme.
I think an easier, meaning with less special cases, way to
handle it is for a
TLS 1.2 implementation to treat the values defined in 5246 as { hash,
signature } pairs and for TLS 1.3 and newer implementations to treat all
values as 16-bit cipher suites, combined with a reworking of
the definitions,
e.g. to define the "ed25519" suite in terms of the curve and hash algorithm,
not just "Ed25519 and you're supposed to know the rest".
The reason is that some TLS implementations have very hard time supporting
RSA-PSS certificates.
But why should the TLS layer care about what OID is used to represent an RSA
key in a certificate? The signature at the TLS level is either a PSS
signature or it isn't, it doesn't matter which OID is used in
the certificate
that carries the key.
It only doesn't matter if you don't want to verify the certificate...
It's one thing to be able to be able to verify an RSA-PSS signature on
TLS level, it's entirely another to be able to properly handle all the
different RSA-PSS limitations when using it in SPKI in X.509.
More to the point, the TLS layer may have no way to determine which OID is
used in the certificate, it's either an RSA key or not, not "it's an RSA key
with OID A" or "it's an RSA key with OID B".
So I think for bis the text should rename rsa_pss_rsae_xxx to
just rsa_pss_xxx
and drop rsa_pss_pss_xxx, which I assume has never been used
anyway because I
don't know of any public CA that'll issue a certificate with a PSS OID.
That's because browsers don't have the code to handle RSA-PSS certificates.
But that doesn't mean that there is no code that can do that.
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
