Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

2016-08-08 Thread Tony Arcieri
On Monday, August 8, 2016, Martin Rex wrote: > > The urban myth about the advantages of the RSA-PSS signature scheme > over PKCS#1 v1.5 keep coming up. > Do you think we'll see real-world MitM attacks against RSA-PSS in TLS similar to those we've seen with PKCS#1v1.5 signature

Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

2016-08-08 Thread Brian Smith
Martin Rex wrote: > The urban myth about the advantages of the RSA-PSS signature scheme > over PKCS#1 v1.5 keep coming up. PKCS#1 v1.5 is a partial-domain scheme, not a full-domain scheme. So, RSA-PSS (without a salt, or with a fixed salt) might still have an advantage over PKCS#1

Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

2016-08-08 Thread Salz, Rich
> Is that limited, so limited today? Aren't we at a time where the majority of > servers will use an HSM (either real hardware or virtualized)? Without even defining "virtualized HSM" the answer is no. ___ TLS mailing list TLS@ietf.org

Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

2016-08-08 Thread Nikos Mavrogiannopoulos
On Mon, 2016-08-08 at 14:55 +0200, Martin Rex wrote: > > Please see the paper "Another Look at ``Provable Security''" from > > Neal > > Koblitz and Alfred Menezes. > > > > https://eprint.iacr.org/2004/152 > > > > Section 7: Conclusion > > > > "There is no need for the PSS or Katz-Wang versions

Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

2016-08-08 Thread Martin Rex
Hanno Böck wrote: > > Actually there is some info on that in the PSS spec [1]. What I write > here is my limited understanding, but roughly I'd interpret it as this: > It says that if you use a non-random salt the security gets reduced to > the security of full domain hashing, which was kinda the

Re: [TLS] TLS1.3 + PSK with multiple identities

2016-08-08 Thread Nikos Mavrogiannopoulos
On Mon, 2016-08-08 at 11:28 +0300, Ilari Liusvaara wrote: > On Mon, Aug 08, 2016 at 10:17:40AM +0200, Nikos Mavrogiannopoulos > wrote: > > > > Hello, > >  I'm reading the "Pre-Shared Key Extension" section of the TLS 1.3 > > draft [0], and I noticed quite some deviations (IMO) from typical > >

Re: [TLS] TLS1.3 + PSK with multiple identities

2016-08-08 Thread Ilari Liusvaara
On Mon, Aug 08, 2016 at 10:17:40AM +0200, Nikos Mavrogiannopoulos wrote: > Hello, >  I'm reading the "Pre-Shared Key Extension" section of the TLS 1.3 > draft [0], and I noticed quite some deviations (IMO) from typical TLS > protocol behavior. No rationale is given about them so I ask on list. >

[TLS] TLS1.3 + PSK with multiple identities

2016-08-08 Thread Nikos Mavrogiannopoulos
Hello,  I'm reading the "Pre-Shared Key Extension" section of the TLS 1.3 draft [0], and I noticed quite some deviations (IMO) from typical TLS protocol behavior. No rationale is given about them so I ask on list. To summarize, the client sends a list of identitities and the server replies with

Re: [TLS] draft-sullivan-tls-post-handshake-auth-00

2016-08-08 Thread Martin Thomson
On 8 August 2016 at 16:14, Ilari Liusvaara wrote: > In 2, I would imagine the context is probably usually a sequence > number of some kind. The draft defines some rules for construction of identifiers that prevent collisions and the like. >> Good question. Errors in

Re: [TLS] draft-sullivan-tls-post-handshake-auth-00

2016-08-08 Thread Ilari Liusvaara
On Mon, Aug 08, 2016 at 11:19:39AM +1000, Martin Thomson wrote: > On 7 August 2016 at 03:26, Ilari Liusvaara wrote: > > > Can applications specify and receive the context values used? E.g. > > to act as handles to refer to the resulting authority objects > > (HTTP/2