Valery Smyslov writes: > No. it was different discussion. We discussed the situation > when peers have several private keys for different algorithms > (say RSA and ECDSA) and the way they select the proper one. > > Now consider the situation when a host has a single key pair for RSA. > However, it can either prepare RSASSA-PKCS1-v1.5 signature > or RSASSA-PSS signature. The problem is that the host > doesn't know if its peer supports RSASSA-PSS or not and RFC7427 > doen't allow peers to indicate what formats are supported - only hashes > are exchanged.
My original idea was that while changing to the RFC7427 everybody would also move to the RSASSA-PSS and PKCS1-v1.5 would be obsoleted at that point. I.e., if you implement RFC7427 you should also get the RSA updated to the safer version. I mean if you are using RSASSA-PKCS1-v1.5 you can use old authentication method, the RFC7427 support is needed for RSASSA-PSS. And RSASSA-PKCS1-v1.5 has some issues. This is described in the RFC7427 Introduction and Security Considerations sections. > In your draft you artificially link Digital Signature auth with > support for RSASSA-PSS, so if you support Digital Signature > authentication them you MUST support RSASSA-PSS. I understand that > this is probably the only possible solution for now, but in general > this linkage is not a good thing. If tomorrow RSASSA-PSS is updated > and a new uncompatible RSASSA-PSSv2 is adopted, then how will the > peers indicate that this new format is supported? We'll have a lot > of interoperability issues... If RSASSA-PSSv2 is done because RSASSA-PSS is found broken, then we just mark RSASSA-PSS as MUST NOT, and move to the new version. Anyways the reason why there is no negotiation for the private key type or signature algorithm other than hash is that the IKE_SA_INIT exchange needs to be kept short so adding too my negotiation stuff there is bad idea. This was discussed when the RFC7427 was being written. The original idea was to support ECDSA, and RSASSA-PSS was more or less a side-product from the final design. But it was still side-product that people wanted to keep. We also did not allow negotiating other parameters in the RSASSA-PSS [1]. You did propose making negotiation more complex [2] during the WGLC of RFC7427, but as you can see from my reply [3] it would get really complicated then. Then in the end of that discussion we didn't make any changes to the document. [1] https://www.ietf.org/mail-archive/web/ipsec/current/msg08027.html [2] https://www.ietf.org/mail-archive/web/ipsec/current/msg08671.html [3] https://www.ietf.org/mail-archive/web/ipsec/current/msg08673.html -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
