> On 4 Oct 2016, at 17:11, Valery Smyslov <[email protected]> wrote: > > Hi Tero, >> [This is bit old email, but I have not seen any replies to this, and I >> am sending this as implementor not as chair.] >> Valery Smyslov writes: >>> The problem is that RFC7427 doesn't provide any means to find out >>> what kind of signatures peer supports. If you have RSA certificate, >>> you need somehow to guess whether you can use newer PSS signature >>> format or should stick to old PKCS 1 one. The SIGNATURE_HASH_ALGORITHMS >>> notification doesn't provide any information of this kind. RFC7427 >>> is silent whether support for RSASSA-PSS is required to be compliant >>> with it, so I think it is absolutely legal now to have support for Digital >>> Signature >>> authentication method and have no support for RSASSA-PSS (as in the product >>> we have tested with). >>> The draft draft-ietf-ipsecme-rfc4307bis does requires that if >>> Digital Signatures are supported, then RSASSA-PSS with SHA2-256 >>> MUST be supported. However, even if it becomes RFC in near future, >>> it'll take a couple of years before it is adopted by major vendors. >> Section 5 of the RFC7427 covers this, and we also discussed this when >> the RFC was being written. The consensus was that in most cases there >> is existing configuration between peers anyways, thus configuring >> which key to be used is just one more configuration option to do, and >> that is easy way to solve the issue. >> I.e., in the end we decided we do not want to add negotiation for the >> public key algorithm. >> [1] https://www.ietf.org/mail-archive/web/ipsec/current/msg08701.html >> [2] https://www.ietf.org/mail-archive/web/ipsec/current/msg08671.html > > No this was different issue. I remember that discussion very well (since > I initiated it) and I wouldn't start it over again. > The issue we came across is not about different algorithms > (say indicating whether we need to use RSA or ECDSA if we have > both certificates). The algorithm is essentially one - RSA, and we have > exactly one RSA certificate. However, we can create AUTH > payload using RSA-PKCS 1.5 or using RSASSA-PSS signature > formats. And we came across that the peer from different > vendor doesn't understand RSASSA-PSS signatures while > supporting RFC7427. This is the issue. We have no clue > whether it is safe to use RSASSA-PSS or not and > the RFC gives us no means to get this clue. This is the problem.
There is one clue. The signature in the certificate. If the certificate is signed with PKCS #1.5 it is safest to use PKCS #1.5 for authentication. If the certificate is signed with PSS then it’s probably safe to use PSS in the signature. I know this greatly delays the deployment of PSS, because for a certificate issuer PKCS #1.5 is the safest route, but I don’t know that we can do better without either a negotiation or prior agreement (which just means configuration from an implementer’s POV) Yoav
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
