Hello,
We could consider adding this item to the working charter :
Explicitly negotiating different RSA versions (Specific case) :
According to section 3.2 of rfc-8247 (was rfc-4307 bis) ,it is mentioned
that :
" When the Digital Signature authentication method is used with RSA
signature algorithm, RSASSA-PSS MUST be supported and RSASSA-
PKCS1-v1.5 MAY be supported "
However , the way to signal to the peer which version of RSA is being used
is neither mentioned in rfc-7427 nor in rfc-8247.
Right now there is no way to fallback from RSASSA - PSS to
RSASSA-PKCS1-v1.5 or vice-versa. (Ideally since RSASSA-PSS MUST be
supported on both ends with Digital signatures implemented, the fallback
case should not arise. Then why is there a need to still support the older
version of RSASSA-PKCS1-v1.5 (the MAY case) ? )
Since the rfc-8247 clearly mentions that there should be a MUST and a MAY
case, there should also be clarity on how to switch between the two methods.
A more general case:
Please note that RSASSA-PSS is just a specific case but the root of the
problem is that while the peers announce their list of hashes they support
for using Digital Signatures, there is no explicit way for them to announce
the supported list of signature formats. Earlier this was not a problem because
there was only one signature format (RSA-PKCS#1). But now, we have newer
RSASSA-PSS Signature formats and therefore the problem. We can probably
envision that the number of signature formats will grow (newer Edward
signatures, even more newer hash-based signatures etc.), so we expect that
the specific problem with RSASSA-PSS won’t be the only problem with
signature formats.
Thank you.
Regards,
Sahana Prasad
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
