On Tue, Sep 06, 2016 at 01:47:48PM +0200, Gilles Van Assche wrote: > Hello, > > For RSA PSS, I would suggest to consider: > rsa_pss_shake128 > rsa_pss_shake256 > where SHAKE128 (or 256), as an exendable output function (XOF), directly > replaces the mask generating function MGF. > > This would make RSA PSS simpler and more efficient.
Well, my opinion on this thing still is: - There is no real sense of urgent concern about SHA-2. - This was not true with MD5/SHA-1 when TLS 1.2 was designed. There definitely was urgent concern. - Therefore a few month delay for a separate spec is not a major issue. - Delaying TLS 1.3 for that would be a major issue. - TLS 1.3 has sufficient hooks to add this later (if you disagree, speak up, because it would be a major flaw). - I don't expect people to implement stuff just because it is in TLS 1.3 spec (but we shouldn't put crap there in case they do), so the "visibility loss" would be pretty minimal. Therefore I think that this work should be pursued in a separate spec, not in TLS 1.3 core. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
