Re: Mozilla RSA-PSS policy

On Fri, Dec 1, 2017 at 12:34 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 01/12/2017 17:06, Ryan Sleevi wrote: > >> On Fri, Dec 1, 2017 at 10:33 AM, Jakob Bohm via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >>> >>>

Re: Mozilla RSA-PSS policy

On Fri, Dec 1, 2017 at 11:20 AM, Hubert Kario wrote: > On Friday, 1 December 2017 17:11:56 CET Ryan Sleevi wrote: > > On Fri, Dec 1, 2017 at 10:23 AM, Hubert Kario wrote: > > > and fine for NSS too, if that changes don't have to be implemented in > next > >

Re: Mozilla RSA-PSS policy

On 01/12/2017 17:06, Ryan Sleevi wrote: On Fri, Dec 1, 2017 at 10:33 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: Depending on the prevalence of non-public CAs (not listed in public indexes) based on openssl (this would be a smallish company thing more

Re: Mozilla RSA-PSS policy

On Friday, 1 December 2017 17:11:56 CET Ryan Sleevi wrote: > On Fri, Dec 1, 2017 at 10:23 AM, Hubert Kario wrote: > > and fine for NSS too, if that changes don't have to be implemented in next > > month or two, but have to be implemented before NSS with final TLS 1.3 > >

Re: Mozilla RSA-PSS policy

On Friday, 1 December 2017 16:33:10 CET Jakob Bohm via dev-security-policy wrote: > On 01/12/2017 16:23, Hubert Kario wrote: > > On Friday, 1 December 2017 15:33:30 CET Ryan Sleevi wrote: > >> On Fri, Dec 1, 2017 at 7:34 AM, Hubert Kario wrote: > It does feel like again

Re: Mozilla RSA-PSS policy

On Fri, Dec 1, 2017 at 10:23 AM, Hubert Kario wrote: > > > - Windows and NSS both apply DER-like BER parsers and do not strictly > > reject (Postel's principle, despite Postel-was-wrong) > > NSS did till very recently reject them, OpenSSL 1.0.2 still rejects them > (probably

Re: Mozilla RSA-PSS policy

On Fri, Dec 1, 2017 at 10:33 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Depending on the prevalence of non-public CAs (not listed in public > indexes) based on openssl (this would be a smallish company thing more > than a big enterprise thing), it

Re: Mozilla RSA-PSS policy

On 01/12/2017 16:23, Hubert Kario wrote: On Friday, 1 December 2017 15:33:30 CET Ryan Sleevi wrote: On Fri, Dec 1, 2017 at 7:34 AM, Hubert Kario wrote: It does feel like again the argument is The CA/EE should say 'I won't do X' so that a client won't accept a signature

Re: Mozilla RSA-PSS policy

On Friday, 1 December 2017 15:33:30 CET Ryan Sleevi wrote: > On Fri, Dec 1, 2017 at 7:34 AM, Hubert Kario wrote: > > > It does feel like again the argument is The CA/EE should say 'I won't do > > > > X' > > > > > so that a client won't accept a signature if the CA does X,

Re: Mozilla RSA-PSS policy

On Fri, Dec 1, 2017 at 7:34 AM, Hubert Kario wrote: > > It does feel like again the argument is The CA/EE should say 'I won't do > X' > > so that a client won't accept a signature if the CA does X, except it > > doesn't change the security properties at all if the CA/EE does

Re: Mozilla RSA-PSS policy

On Thursday, 30 November 2017 21:49:42 CET Ryan Sleevi wrote: > On Thu, Nov 30, 2017 at 3:23 PM, Hubert Kario wrote: > > On Thursday, 30 November 2017 18:46:12 CET Ryan Sleevi wrote: > > > On Thu, Nov 30, 2017 at 12:21 PM, Hubert Kario > > > > wrote: > > >

Re: Mozilla RSA-PSS policy

On Thu, Nov 30, 2017 at 3:23 PM, Hubert Kario wrote: > On Thursday, 30 November 2017 18:46:12 CET Ryan Sleevi wrote: > > On Thu, Nov 30, 2017 at 12:21 PM, Hubert Kario > wrote: > > > if the certificate is usable with PKCS#1 v1.5 signatures, it makes it > >

Re: Mozilla RSA-PSS policy

On Thursday, 30 November 2017 18:46:12 CET Ryan Sleevi wrote: > On Thu, Nov 30, 2017 at 12:21 PM, Hubert Kario wrote: > > if the certificate is usable with PKCS#1 v1.5 signatures, it makes it > > vulnerable to attacks like the Bleichenbacher, if it is not usable with > > PKCS#1

Re: Mozilla RSA-PSS policy

On Thu, Nov 30, 2017 at 12:21 PM, Hubert Kario wrote: > if the certificate is usable with PKCS#1 v1.5 signatures, it makes it > vulnerable to attacks like the Bleichenbacher, if it is not usable with > PKCS#1 > v1.5 it's not vulnerable in practice to such attacks > A

Re: Mozilla RSA-PSS policy

On Wednesday, 29 November 2017 21:59:39 CET Ryan Sleevi wrote: > On Wed, Nov 29, 2017 at 1:09 PM, Hubert Kario wrote: > > > So are you stating you do not believe cross-algorithm attacks are > > > > relevant? > > > > No, I don't believe that cross-algorithm attacks from

Re: Mozilla RSA-PSS policy

On Wed, Nov 29, 2017 at 1:09 PM, Hubert Kario wrote: > > The extent of the argument for flexibility, so far, has been OpenSSL's > > behaviour to produce RSA-PSS signatures with a maximal salt length. These > > same clients are also incapable of parsing RSA-PSS SPKIs (that only

Re: Mozilla RSA-PSS policy

On Wednesday, 29 November 2017 17:00:58 CET Ryan Sleevi wrote: > On Wed, Nov 29, 2017 at 7:55 AM, Hubert Kario via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > Because I do not consider making the salt length rigid (one value allowed > > for > > every hash) to be of

Re: Mozilla RSA-PSS policy

On Wed, Nov 29, 2017 at 7:55 AM, Hubert Kario via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > > > The fact that this new NSS implementation does not properly validate the > > well-formedness of these signatures is somewhat in conflict with your > > statement: > > ""it

Re: Mozilla RSA-PSS policy

On Tue, Nov 28, 2017 at 8:04 AM, Hubert Kario wrote: > On Monday, 27 November 2017 23:37:59 CET Ryan Sleevi wrote: > > On Mon, Nov 27, 2017 at 4:51 PM, Hubert Kario wrote: > > > > So no, we should not assume well-meaning actors, and we should be > > > > > >

Re: Mozilla RSA-PSS policy

On Monday, 27 November 2017 23:37:59 CET Ryan Sleevi wrote: > On Mon, Nov 27, 2017 at 4:51 PM, Hubert Kario wrote: > > > So no, we should not assume well-meaning actors, and we should be > > > > explicit > > > > > about what the "intention" of the RFCs is, and whether they

Re: Mozilla RSA-PSS policy

On Mon, Nov 27, 2017 at 4:51 PM, Hubert Kario wrote: > > > First, I absolutely disagree with your assumption - we need to assume > > hostility, and design our code and policies to be robust against that. I > > should hope that was uncontroversial, but it doesn't seem to be. > >

Re: Mozilla RSA-PSS policy

On Monday, 27 November 2017 20:31:53 CET Ryan Sleevi wrote: > On Mon, Nov 27, 2017 at 12:54 PM, Hubert Kario wrote: > > > On the realm of CA policy, we're discussing two matters: > > > 1) What should the certificates a CA issue be encoded as > > > 2) How should the CA protect

Re: Mozilla RSA-PSS policy

On Mon, Nov 27, 2017 at 12:54 PM, Hubert Kario wrote: > > > On the realm of CA policy, we're discussing two matters: > > 1) What should the certificates a CA issue be encoded as > > 2) How should the CA protect and use its private key. > > > > While it may not be immediately

Re: Mozilla RSA-PSS policy

On Monday, 27 November 2017 17:28:02 CET Ryan Sleevi wrote: > On Thu, Nov 23, 2017 at 7:07 AM, Hubert Kario via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > In response to comment made by Gervase Markham[1], pointing out that > > Mozilla > > doesn't have an official

Re: Mozilla RSA-PSS policy

On Thu, Nov 23, 2017 at 7:07 AM, Hubert Kario via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > In response to comment made by Gervase Markham[1], pointing out that > Mozilla > doesn't have an official RSA-PSS usage policy. > > This is the thread to discuss it and make a