The current draft says "It is RECOMMENDED that implementations implement 'deterministic ECDSA' as specified in [RFC6979]." The current draft also says, regarding RSA-PSS signatures: "When used in signed TLS handshake messages, the length of the salt MUST be equal to the length of the digest output."
I think it would be ideal if we could find a way to specify the RSA-PSS salt requirement in a way that meets the requirements for provable security that motivated the switch to RSA-PSS and also recommends a deterministic method of salt generation analogous to what RFC6979 does for ECDSA. However, I don't know of any such method. Perhaps other people do; if so, the spec to include a recommendation to use such a method be used. Also, I think it would be great if people working on proofs of security for TLS could take into consideration the fact that some--perhaps many--implementations will intentionally or accidentally use some form of deterministic or less-than-random salt generation for RSA-PSS. For example, it would be great to see a "What if the salt(s) in the RSA PSS signature(s) were generated deterministically?" section of papers describing such proofs. Cheers, Brian -- https://briansmith.org/ _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
