Re: [TLS] TLS RSA-PSS and various versions of TLS

On 9 February 2017 at 08:17, Ilari Liusvaara wrote: > If client includes RSA-PSS codepoints in its signature_algorithms, > then: > > - The server handshake signature MAY be signed using RSA-PSS in TLS > 1.2 or later. Yes, 1.2, not 1.3. > - The certificate chain MAY

Re: [TLS] TLS RSA-PSS and various versions of TLS

On Wed, Feb 08, 2017 at 07:34:16PM +, Timothy Jackson wrote: > I have a question on RFC5246 (TLS 1.2) and how it’s going to interact with > RSASSA-PSS as we roll out TLS 1.3. Does the prohibition against RSASSA-PSS > apply only to the signatures that can be used for signing handshakes or >

Re: [TLS] TLS RSA-PSS and various versions of TLS

On 9 February 2017 at 07:20, Yoav Nir wrote: > And it doesn’t help if the client does not provide the extension. The > extension can restrict from among the set of supported algorithms, Its > absence does not allow undefined algorithms. Since TLS 1.3 defines code points for

Re: [TLS] TLS RSA-PSS and various versions of TLS

> On 8 Feb 2017, at 21:34, Timothy Jackson wrote: > > I have a question on RFC5246 (TLS 1.2) and how it’s going to interact with > RSASSA-PSS as we roll out TLS 1.3. Does the prohibition against RSASSA-PSS > apply only to the signatures that can be used for signing

[TLS] TLS RSA-PSS and various versions of TLS

I have a question on RFC5246 (TLS 1.2) and how it’s going to interact with RSASSA-PSS as we roll out TLS 1.3. Does the prohibition against RSASSA-PSS apply only to the signatures that can be used for signing handshakes or does it apply to the entire certificate chain as well? I ask because

Re: [TLS] New Draft: Using DNS to set the SNI explicitly

For me, the main drawback here (besides the futuristic assumptions), is the continued reliance on the DNS infrastructure. Even when using TLS, the DNS is architecturally hostile to privacy, e.g., due to resolvers operated by ISPs or the client subnet extension. I'm sympathetic to the desire to