> On 1 Mar 2016, at 6:56 AM, Martin Thomson <[email protected]> wrote: > > On 1 March 2016 at 04:32, Joseph Salowey <[email protected]> wrote: >> We make RSA-PSS mandatory to implement (MUST implement instead of MUST >> offer). Clients can advertise support for PKCS-1.5 for backwards >> compatibility in the transition period. > >> From my perspective, this is fine. I would like to say that we won't > ever support PKCS#1.5 for TLS 1.3, but I think that I would rather > have users on 1.3 with PKCS#1.5 than have them stuck on 1.2. > > It seems like others are taking the position that we should say "MUST > NOT use PKCS#1.5”.
I’d go even further. I’d remove the rsapss(4) value from SignatureAlgorithm, leaving just rsa(1), and say that in TLS 1.3 an RSA signature is PSS just as it was PKCS#1.5 in TLS 1.2. Certificates are a different issue altogether. Yoav _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
