On Mon, 2016-08-08 at 14:55 +0200, Martin Rex wrote: > > Please see the paper "Another Look at ``Provable Security''" from > > Neal > > Koblitz and Alfred Menezes. > > > > https://eprint.iacr.org/2004/152 > > > > Section 7: Conclusion > > > > "There is no need for the PSS or Katz-Wang versions of RSA; > > one might as well use just the basic ?hash and exponentiate? > > signature > > scheme (with a full-domain hash function)." > The advantages of the RSA-PSS signature scheme are limited to > situations > where the rightful owner of the private signing key is not supposed > to have access to the bits of the private key (i.e. key kept in > hardware).
Is that limited, so limited today? Aren't we at a time where the majority of servers will use an HSM (either real hardware or virtualized)? regards, Nikos _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
