> On 18 Nov 2016, at 5:38, Tero Kivinen <[email protected]> wrote: > > Watson Ladd writes: >> I might be confused, but the slides in >> https://www.ietf.org/proceedings/97/slides/slides-97-ipsecme-signature-forms-ambiguity-in-ikev2-00.pdf >> seem to very clearly want something else. Apologies for my >> insufficient context inclusion. > > Yes, with RSA I think it might be quite common for people to use same > key for both RSA PKCS#1 v1.5 and RSA-PSS, and there is not really > anything we can do for that.
If that is a problem, then it is more serious for TLS. TLS 1.2 has only PKCS#1. TLS 1.3 has only PSS. So a server that uses a single certificate with RSA for both versions (probably most servers in 1-2 years) will be producing both kinds of signatures from the same key. If that’s a problem, it should be raised during WGLC of TLS 1.3 (which si now) Yoav _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
