On Mon, 2016-02-29 at 09:32 -0800, Joseph Salowey wrote: > We seem to have good consensus on moving to RSA-PSS and away from > PKCS-1.5 in TLS 1.3. However, there is a problem that it may take > some hardware implementations some time to move to RSA-PSS. After an > off list discussion with a few folks here is a proposal for moving > forward. > > We make RSA-PSS mandatory to implement (MUST implement instead of > MUST offer). Clients can advertise support for PKCS-1.5 for > backwards compatibility in the transition period. > Please respond on the list on whether you think this is a reasonable > way forward or not.
The mandatory to implement approach didn't help TLS 1.0 (which had a DHE-RSA ciphersuite implemented by no-one for several years). If you want to push for RSA-PSS, then please only define RSA-PSS. That, in addition would allow to prevent that sharing of keys between TLS 1.2 and TLS 1.3 (i.e., prevent any cross-protocol attacks). regards, Nikos _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
