Re: [TLS] TLS RSA-PSS and various versions of TLS

On Wed, Apr 26, 2017 at 03:23:57PM +0200, Martin Rex wrote: > > Signatures on certificates are created by CAs, rather than TLS endpoints, > so any implementation that uses TLS protocol parameters (about TLS signature > algorithms) for more than a mere cert selection hint, is actively creating >

Re: [TLS] TLS RSA-PSS and various versions of TLS

Dr Stephen Henson wrote: > On 25/04/2017 15:36, Benjamin Kaduk wrote: >> >>RSASSA-PSS algorithms Indicates a signature algorithm using RSASSA- >> PSS [RFC3447 ] with mask >> generation function 1. The digest used in >> the mask generation

Re: [TLS] TLS RSA-PSS and various versions of TLS

On 25/04/2017 15:36, Benjamin Kaduk wrote: > On 04/25/2017 07:08 AM, Dr Stephen Henson wrote: >> On 18/02/2017 02:31, Dr Stephen Henson wrote: >>> Does this apply to RSASSA-PSS (RSA-PSS signing only) keys in end entity >>> certificates too? >>> >>> For example could a TLS 1.2 server legally

Re: [TLS] TLS RSA-PSS and various versions of TLS

On 04/25/2017 07:08 AM, Dr Stephen Henson wrote: > On 18/02/2017 02:31, Dr Stephen Henson wrote: >> Does this apply to RSASSA-PSS (RSA-PSS signing only) keys in end entity >> certificates too? >> >> For example could a TLS 1.2 server legally present a certificate containing >> an >> RSASSA-PSS

Re: [TLS] TLS RSA-PSS and various versions of TLS

On 18/02/2017 02:31, Dr Stephen Henson wrote: > > Does this apply to RSASSA-PSS (RSA-PSS signing only) keys in end entity > certificates too? > > For example could a TLS 1.2 server legally present a certificate containing an > RSASSA-PSS key for an appropriate ciphersuite? Similarly could a

Re: [TLS] TLS RSA-PSS and various versions of TLS

On Saturday, 18 February 2017 18:22:23 CET Dr Stephen Henson wrote: > On 18/02/2017 16:26, Viktor Dukhovni wrote: > > On Sat, Feb 18, 2017 at 02:31:19AM +, Dr Stephen Henson wrote: > >> For example could a TLS 1.2 server legally present a certificate > >> containing an RSASSA-PSS key for an

Re: [TLS] TLS RSA-PSS and various versions of TLS

On 19 February 2017 at 06:25, Ilari Liusvaara wrote: > - Only the 3 TLS 1.3 variants of RSA-PSS are supported. Including in > 1.2 and certificates. > - When using RSA-PSS for SKE signature, the ciphersuite signature > algorithm is set to RSA. > - Ciphersuite

Re: [TLS] TLS RSA-PSS and various versions of TLS

On Sat, Feb 18, 2017 at 06:22:23PM +, Dr Stephen Henson wrote: > On 18/02/2017 16:26, Viktor Dukhovni wrote: > > On Sat, Feb 18, 2017 at 02:31:19AM +, Dr Stephen Henson wrote: > > > >> > >> For example could a TLS 1.2 server legally present a certificate > >> containing an > >>

Re: [TLS] TLS RSA-PSS and various versions of TLS

On 18/02/2017 16:26, Viktor Dukhovni wrote: > On Sat, Feb 18, 2017 at 02:31:19AM +, Dr Stephen Henson wrote: > >> >> For example could a TLS 1.2 server legally present a certificate containing >> an >> RSASSA-PSS key for an appropriate ciphersuite? Similarly could a client >> present >> a

Re: [TLS] TLS RSA-PSS and various versions of TLS

On Sat, Feb 18, 2017 at 02:31:19AM +, Dr Stephen Henson wrote: > > If client includes RSA-PSS codepoints in its signature_algorithms, > > then: > > > > - The server handshake signature MAY be signed using RSA-PSS in TLS > > 1.2 or later. Yes, 1.2, not 1.3. > > - The certificate chain MAY

Re: [TLS] TLS RSA-PSS and various versions of TLS

On 18/02/2017 10:01, Martin Thomson wrote: > On 18 February 2017 at 13:31, Dr Stephen Henson > wrote: >> could a TLS 1.2 server legally present a certificate containing an >> RSASSA-PSS key for an appropriate ciphersuite? Similarly could a client >> present >> a

Re: [TLS] TLS RSA-PSS and various versions of TLS

On 18 February 2017 at 13:31, Dr Stephen Henson wrote: > could a TLS 1.2 server legally present a certificate containing an > RSASSA-PSS key for an appropriate ciphersuite? Similarly could a client > present > a certificate contain an RSASSA-PSS key? NSS, when

Re: [TLS] TLS RSA-PSS and various versions of TLS

On 08/02/2017 21:17, Ilari Liusvaara wrote: > On Wed, Feb 08, 2017 at 07:34:16PM +, Timothy Jackson wrote: >> I have a question on RFC5246 (TLS 1.2) and how it’s going to interact with >> RSASSA-PSS as we roll out TLS 1.3. Does the prohibition against RSASSA-PSS >> apply only to the signatures

Re: [TLS] TLS RSA-PSS and various versions of TLS

On 9 February 2017 at 08:17, Ilari Liusvaara wrote: > If client includes RSA-PSS codepoints in its signature_algorithms, > then: > > - The server handshake signature MAY be signed using RSA-PSS in TLS > 1.2 or later. Yes, 1.2, not 1.3. > - The certificate chain MAY

Re: [TLS] TLS RSA-PSS and various versions of TLS

On Wed, Feb 08, 2017 at 07:34:16PM +, Timothy Jackson wrote: > I have a question on RFC5246 (TLS 1.2) and how it’s going to interact with > RSASSA-PSS as we roll out TLS 1.3. Does the prohibition against RSASSA-PSS > apply only to the signatures that can be used for signing handshakes or >

Re: [TLS] TLS RSA-PSS and various versions of TLS

On 9 February 2017 at 07:20, Yoav Nir wrote: > And it doesn’t help if the client does not provide the extension. The > extension can restrict from among the set of supported algorithms, Its > absence does not allow undefined algorithms. Since TLS 1.3 defines code points for

Re: [TLS] TLS RSA-PSS and various versions of TLS

> On 8 Feb 2017, at 21:34, Timothy Jackson wrote: > > I have a question on RFC5246 (TLS 1.2) and how it’s going to interact with > RSASSA-PSS as we roll out TLS 1.3. Does the prohibition against RSASSA-PSS > apply only to the signatures that can be used for signing