Yaron Sheffer writes: > Thanks for your response, I am fine with your comments but I have a > question: in Sec. 4.2, we have: "With the use of Digital Signature, > RSASSA-PKCS1-v1.5 MAY be implemented. RSASSA-PSS MUST be implemented." > And then the table has SHOULD for RSA (as well as ECDSA). How come?
RSASSA-PSS MUST be implemented if Digital Signature authentication method is implemented, but it can be implemented with multiple hash algorithms. On the other hand in hash algorithms part we have just one MUST and that is for SHA2-256. The reason why RSASSA-PSS with SHA-256 is listed only as SHOULD, is mostly caused by the fact that Digital Signature authentication method is still onl SHOULD and we do not have implementations for it, so we do not have implementor comments for it yet. So Digital Signature in general is SHOULD. SHA2-256 as hash algorithm is MUST when implementing Digital Signature authentication method. RSASSA-PSS is MUST when implementing Digital Signature. That would actually make RSASSA-PSS with SHA-256 a effective MUST, if Digital Signature is in general supported, but we do not label it as MUST as complient implementation can still decide not to implement digital signatures at all. > Coming to think of it, if we want to ensure interoperability between > peers that use RSA certs and peers that use ECDSA certs, then at least > one (probably RSA) needs to be a MUST, even if people are using RFC7427. Usually this is not a problem, i.e., in normal use the configuration has just one private key (either rsa or ECDSA) and that is what is used. If you have ECDSA private key and they implementation does not support ECDSA, you cannot use that implementation, you need to pick another implementation. The other end of the configuration is also configured to trust your private key (either by config, or through CA), and if it cannot support your private key type you cannot really configure it that way. I.e., the implementation requirements do not come from this document, they came from the pre-existing authentication infrastructure and private keys users have. Anyways when we make Digital Signature authentication method a MUST, we can also make RSASSA-PSS with SHA-256 a MUST. The question there is should we already mark this fact by making it now SHOULD+, as we do expect it to be next mandatory to implement algorithm if Digital Signature authentication method really gets deployed? -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
