On 1 March 2016 at 16:06, Viktor Dukhovni <[email protected]> wrote: >> It is much easier to mandate PSS in TLS 1.3 now, than to remove it >> later. Servers that can't do PSS will use TLS 1.2. This avoids >> a break-the-web day. > > Sorry, ... than to remove *PKCS#1.5* later ...
Yes, this is true for some people, and likely it will be more true in the future. However, a MUST implement PSS is enough for me. If it seems like consensus is against this position, I'll back that all the way. However, on the web side of things, we've some experience with killing stuff that we don't like. It's not always painless (see SHA-1), but I'd rather rely on that system than risk holding back 1.3. _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
