On Mon, Mar 07, 2016 at 01:51:41PM +0000, Hannes Mehnert wrote: > On 01/03/2016 11:32, Yoav Nir wrote: > >> On 1 Mar 2016, at 6:56 AM, Martin Thomson <[email protected]> wrote: > >> > >> On 1 March 2016 at 04:32, Joseph Salowey <[email protected]> wrote: > >>> We make RSA-PSS mandatory to implement (MUST implement instead of MUST > >>> offer). Clients can advertise support for PKCS-1.5 for backwards > >>> compatibility in the transition period. > >> > >>> From my perspective, this is fine. I would like to say that we won't > >> ever support PKCS#1.5 for TLS 1.3, but I think that I would rather > >> have users on 1.3 with PKCS#1.5 than have them stuck on 1.2. > >> > >> It seems like others are taking the position that we should say "MUST > >> NOT use PKCS#1.5”. > > > > I’d go even further. I’d remove the rsapss(4) value from SignatureAlgorithm, > > leaving just rsa(1), and say that in TLS 1.3 an RSA signature is PSS just > > as it was PKCS#1.5 in TLS 1.2. > > I strongly agree to Yoav's proposal! No need to have both RSA(-PKCS) > and RSA-PSS numbers in SignatureAlgorithms.
Doesn't SignatureAlgorithms also negotiate the algorithms supported for the cert chain? If it does, I think that complicates things. Also, making the same ClientHello mean two different things depending on yet-unnegotiated version seems odd to me. -Ilari _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
