Re: [TLS] SHA-3 in SignatureScheme

While there seems to be some support for adding SHA-3 to TLS, we're not seeing enough support to add it as part of TLS 1.3. Individual drafts that specify ciphers suites can always be separately considered though. Cheers, J On Fri, Sep 9, 2016 at 4:30 AM, Martin Thomson

Re: [TLS] SHA-3 in SignatureScheme

On 9 September 2016 at 20:02, Gilles Van Assche wrote: > My point was technically how to best use FIPS 202 in RSA PSS, and we (as > Keccak team) would be more than happy to help in that area. And I'm more than happy to have the work happen, but I think that we can do

Re: [TLS] SHA-3 in SignatureScheme

I don't mind if this is done in a separate spec. My point was technically how to best use FIPS 202 in RSA PSS, and we (as Keccak team) would be more than happy to help in that area. Kind regards, Gilles On 09/09/16 06:20, Martin Thomson wrote: > On 7 September 2016 at 18:24, Ilari Liusvaara

Re: [TLS] SHA-3 in SignatureScheme

On 7 September 2016 at 18:24, Ilari Liusvaara wrote: > Therefore I think that this work should be pursued in a separate spec, > not in TLS 1.3 core. I think that Ilari has it here. ___ TLS mailing list TLS@ietf.org

Re: [TLS] SHA-3 in SignatureScheme

On Tue, Sep 06, 2016 at 01:47:48PM +0200, Gilles Van Assche wrote: > Hello, > > For RSA PSS, I would suggest to consider: > rsa_pss_shake128 > rsa_pss_shake256 > where SHAKE128 (or 256), as an exendable output function (XOF), directly > replaces the mask generating function MGF. > > This would

Re: [TLS] SHA-3 in SignatureScheme

+1 On 9/6/16, 7:47 , "TLS on behalf of Gilles Van Assche" wrote: Hello, For RSA PSS, I would suggest to consider: rsa_pss_shake128 rsa_pss_shake256 where SHAKE128 (or 256), as an exendable output function (XOF), directly

Re: [TLS] SHA-3 in SignatureScheme

Hello, For RSA PSS, I would suggest to consider: rsa_pss_shake128 rsa_pss_shake256 where SHAKE128 (or 256), as an exendable output function (XOF), directly replaces the mask generating function MGF. This would make RSA PSS simpler and more efficient. Kind regards, Gilles On 01/09/16 19:38,

Re: [TLS] SHA-3 in SignatureScheme

On Mon, Sep 05, 2016 at 10:17:58AM +0200, Nikos Mavrogiannopoulos wrote: > On Fri, 2016-09-02 at 10:04 -0700, Eric Rescorla wrote: > > > > > I also am not following why we need to do this now. The reason we > > > defined SHA-2 in > > > > a new RFC was because (a) SHA-1 was looking weak and (b) we

Re: [TLS] SHA-3 in SignatureScheme

> On 5 Sep 2016, at 11:17 AM, Nikos Mavrogiannopoulos wrote: > > On Fri, 2016-09-02 at 10:04 -0700, Eric Rescorla wrote: > I also am not following why we need to do this now. The reason we >>> defined SHA-2 in a new RFC was because (a) SHA-1 was looking weak and (b)

Re: [TLS] SHA-3 in SignatureScheme

On Fri, 2016-09-02 at 10:04 -0700, Eric Rescorla wrote: > > > I also am not following why we need to do this now. The reason we > > defined SHA-2 in > > > a new RFC was because (a) SHA-1 was looking weak and (b) we had > > to make significant > > > changes to TLS to allow the use of SHA-2. This

Re: [TLS] SHA-3 in SignatureScheme

> On 2 Sep 2016, at 10:28 PM, Blumenthal, Uri - 0553 - MITLL > wrote: > We have SHA-256 and SHA-384. > > No. By the same token we have AES-128, AES-256, ECDHE over P256, etc. > > I support adding SHA-3 to the core. > > Alternatively, feel free to throw ChaCha out and

Re: [TLS] SHA-3 in SignatureScheme

On 9/2/16, 15:22 , "TLS on behalf of Eric Rescorla" wrote: But then we have: * AES and ChaCha (two modes for the former one even) * RSA and ECDSA * NIST curves and Bernstein curves * ECDHE key exchange an DHE key exchange only the SHA-2 stands

Re: [TLS] SHA-3 in SignatureScheme

> But then we have: > * AES and ChaCha (two modes for the former one even) > * RSA and ECDSA > * NIST curves and Bernstein curves > * ECDHE key exchange an DHE key exchange This is a good point to bring up, but I think it can be resolved easily. AES/ChaCha -- if only mobile you'll do chacha

Re: [TLS] SHA-3 in SignatureScheme

On Fri, Sep 2, 2016 at 12:21 PM, Hubert Kario wrote: > On Friday, 2 September 2016 21:38:33 CEST Yoav Nir wrote: > > > On 2 Sep 2016, at 8:27 PM, Hubert Kario wrote: > > > > > > On Friday, 2 September 2016 12:06:55 CEST Benjamin Kaduk wrote: > > >> On

Re: [TLS] SHA-3 in SignatureScheme

On Friday, 2 September 2016 21:38:33 CEST Yoav Nir wrote: > > On 2 Sep 2016, at 8:27 PM, Hubert Kario wrote: > > > > On Friday, 2 September 2016 12:06:55 CEST Benjamin Kaduk wrote: > >> On 09/02/2016 12:04 PM, Eric Rescorla wrote: > >>> On Fri, Sep 2, 2016 at 8:25 AM, Dave

Re: [TLS] SHA-3 in SignatureScheme

On 09/02/2016 12:27 PM, Hubert Kario wrote: > > what would be the reasons not to add it now? > It seems that Yoav was faster than me, but the two main ones I had in mind were: We want the core protocol to be as small as possible while still fulfilling its goals. We already have extension

Re: [TLS] SHA-3 in SignatureScheme

We should not add new "this is [cool|national-standard|strong|emerging]" crypto mechanisms to this spec. Any invention we do here, should be around the protocol, not the crypto. /r$ ___ TLS mailing list TLS@ietf.org

Re: [TLS] SHA-3 in SignatureScheme

On Fri, Sep 2, 2016 at 11:38 AM, Yoav Nir wrote: > > > On 2 Sep 2016, at 8:27 PM, Hubert Kario wrote: > > > > On Friday, 2 September 2016 12:06:55 CEST Benjamin Kaduk wrote: > >> On 09/02/2016 12:04 PM, Eric Rescorla wrote: > >>> On Fri, Sep 2, 2016 at

Re: [TLS] SHA-3 in SignatureScheme

> On 2 Sep 2016, at 8:27 PM, Hubert Kario wrote: > > On Friday, 2 September 2016 12:06:55 CEST Benjamin Kaduk wrote: >> On 09/02/2016 12:04 PM, Eric Rescorla wrote: >>> On Fri, Sep 2, 2016 at 8:25 AM, Dave Garrett >> >>>

Re: [TLS] SHA-3 in SignatureScheme

On Friday, 2 September 2016 12:06:55 CEST Benjamin Kaduk wrote: > On 09/02/2016 12:04 PM, Eric Rescorla wrote: > > On Fri, Sep 2, 2016 at 8:25 AM, Dave Garrett > > > > wrote: > > On Friday, September 02, 2016 07:32:06 am Eric Rescorla

Re: [TLS] SHA-3 in SignatureScheme

On 09/02/2016 12:04 PM, Eric Rescorla wrote: > > > On Fri, Sep 2, 2016 at 8:25 AM, Dave Garrett > wrote: > > On Friday, September 02, 2016 07:32:06 am Eric Rescorla wrote: > > On Fri, Sep 2, 2016 at 3:42 AM, Ilari Liusvaara >

Re: [TLS] SHA-3 in SignatureScheme

On Fri, Sep 2, 2016 at 10:04 AM, Eric Rescorla wrote: > > > On Fri, Sep 2, 2016 at 8:25 AM, Dave Garrett > wrote: > >> On Friday, September 02, 2016 07:32:06 am Eric Rescorla wrote: >> > On Fri, Sep 2, 2016 at 3:42 AM, Ilari Liusvaara < >>

Re: [TLS] SHA-3 in SignatureScheme

On Fri, Sep 2, 2016 at 8:25 AM, Dave Garrett wrote: > On Friday, September 02, 2016 07:32:06 am Eric Rescorla wrote: > > On Fri, Sep 2, 2016 at 3:42 AM, Ilari Liusvaara < > ilariliusva...@welho.com> wrote: > > > I also don't see why this should be in TLS 1.3 spec, instead

Re: [TLS] SHA-3 in SignatureScheme

On Friday, September 02, 2016 07:32:06 am Eric Rescorla wrote: > On Fri, Sep 2, 2016 at 3:42 AM, Ilari Liusvaara > wrote: > > I also don't see why this should be in TLS 1.3 spec, instead of being > > its own spec (I looked up how much process BS it would be to get the >

Re: [TLS] SHA-3 in SignatureScheme

: Ilari Liusvaara Sent: Friday, September 2, 2016 06:44 To: Hubert Kario Cc: tls@ietf.org Subject: Re: [TLS] SHA-3 in SignatureScheme On Fri, Sep 02, 2016 at 12:08:47PM +0200, Hubert Kario wrote: > On Thursday, 1 September 2016 19:22:18 CEST Dave Garrett wrote: > > > > The reason I

Re: [TLS] SHA-3 in SignatureScheme

On Fri, Sep 2, 2016 at 3:42 AM, Ilari Liusvaara wrote: > On Fri, Sep 02, 2016 at 12:08:47PM +0200, Hubert Kario wrote: > > On Thursday, 1 September 2016 19:22:18 CEST Dave Garrett wrote: > > > > > > The reason I see is that we currently specify exactly one valid hash >

Re: [TLS] SHA-3 in SignatureScheme

On Friday, 2 September 2016 13:42:40 CEST Ilari Liusvaara wrote: > On Fri, Sep 02, 2016 at 12:08:47PM +0200, Hubert Kario wrote: > > On Thursday, 1 September 2016 19:22:18 CEST Dave Garrett wrote: > > > The reason I see is that we currently specify exactly one valid hash > > > algorithm (in a

Re: [TLS] SHA-3 in SignatureScheme

On Fri, Sep 02, 2016 at 12:08:47PM +0200, Hubert Kario wrote: > On Thursday, 1 September 2016 19:22:18 CEST Dave Garrett wrote: > > > > The reason I see is that we currently specify exactly one valid hash > > algorithm (in a variety of sizes). The precedent argument is good enough > > for me. I

Re: [TLS] SHA-3 in SignatureScheme

On Thursday, September 01, 2016 02:30:54 pm Scott Fluhrer (sfluhrer) wrote: > > On Thursday, 1 September 2016 12:43:31 CEST Benjamin Kaduk wrote: > > > On 09/01/2016 12:38 PM, Hubert Kario wrote: > > > > The SHA-3 standard is already published and accepted[1], shouldn't > > > > TLSv1.3 include

Re: [TLS] SHA-3 in SignatureScheme

On Thursday, 1 September 2016 12:43:31 CEST Benjamin Kaduk wrote: > On 09/01/2016 12:38 PM, Hubert Kario wrote: > > The SHA-3 standard is already published and accepted[1], shouldn't TLSv1.3 > > include signatures with those hashes then? > > Why does it need to be part of the core spec instead of

Re: [TLS] SHA-3 in SignatureScheme

On 09/01/2016 12:38 PM, Hubert Kario wrote: > The SHA-3 standard is already published and accepted[1], shouldn't TLSv1.3 > include signatures with those hashes then? Why does it need to be part of the core spec instead of a separate document? > 1 -