Re: [TLS] RSA-PSS in TLS 1.3

2016-03-04 Thread Martin Rex
Fedor Brunner wrote: > > Please see the paper "Another Look at ``Provable Security''" from Neal > Koblitz and Alfred Menezes. > > https://eprint.iacr.org/2004/152 > > Section 7: Conclusion > > "There is no need for the PSS or Katz-Wang versions of RSA; > one might as well use just the basic

Re: [TLS] Accepting that other SNI name types will never work.

2016-03-04 Thread Richard Moore
On 3 March 2016 at 23:16, Martin Thomson wrote ​:​ > > I assume that the last > error indicates that you didn't get an alert, which I find is > alarmingly common in TLS. > > ​Yes, that's right. Cheers Rich. ___ TLS mailing

Re: [TLS] RSA-PSS in TLS 1.3

2016-03-04 Thread Martin Rex
Hanno Böck wrote: > m...@sap.com (Martin Rex) wrote: >> >> The *huge* advantage of PKCS#1 v1.5 signatures over RSA-PSS and ECDSA >> signatures is that one can clearly distinguish "wrong public key" >> from "signature does not fit plaintext" errors, and loosing this >> capability makes certain

Re: [TLS] RSA-PSS in TLS 1.3

2016-03-04 Thread Hanno Böck
On Fri, 4 Mar 2016 14:45:13 +0100 (CET) m...@sap.com (Martin Rex) wrote: > What should have adopted for TLSv1.2 already, however, is the less > forgiving PKCS#1 v1.5 signature check, that re-creates the encoding > and then compares the recreated inner encoding with the RSA-decrypted > encoding

Re: [TLS] RSA-PSS in TLS 1.3

2016-03-04 Thread Martin Rex
Hanno Böck wrote: > Joseph Salowey wrote: >> >> We make RSA-PSS mandatory to implement (MUST implement instead of MUST >> offer). Clients can advertise support for PKCS-1.5 for backwards >> compatibility in the transition period. >> Please respond on the list on whether you

Re: [TLS] Accepting that other SNI name types will never work.

2016-03-04 Thread Fossati, Thomas (Nokia - GB)
On 04/03/2016 07:58, "EXT Yuhong Bao" wrote: > >> From: thomas.foss...@nokia.com >> To: a...@imperialviolet.org; tls@ietf.org >> Date: Fri, 4 Mar 2016 07:10:06 + >> Subject: Re: [TLS] Accepting that other SNI name types will

Re: [TLS] Accepting that other SNI name types will never work.

2016-03-04 Thread Martin Thomson
On 4 March 2016 at 18:10, Fossati, Thomas (Nokia - GB) wrote: > In CoRE we might need to allocate a new SNI NameType for non-DNS host > names [1]. > > Removing SNI extensibility would make it unfeasible. Not at all. Define a new extension. We have evidence that that