Draft 18 says:
RSASSA-PSS algorithms Indicates a signature algorithm using RSASSA-
PSS [RFC3447] with MGF1. The digest used in the mask generation
function and the digest being signed are both the corresponding
hash algorithm as defined in [SHS]. When used in signed TLS
handshake messages, the length of the salt MUST be equal to the
length of the digest output. This codepoint is defined for use
with TLS 1.2 as well as TLS 1.3.
What are the requirements for certificates when these RSSSA-PSS is used?
The text above indicates the salt length for TLS messages. There are no
restrictions placed on certificate signature salt lengths. Does this mean that
any valid salt length (from 0 to the maximum permitted) must be supported?
Additionally PSS signatures (see RFC4055) can be used with RSA keys
(rsaEncryption OID) and RSA-PSS only keys (id-RSASSA-PSS OID). Does the
RSASSA-PSS mean that both types must be accepted?
Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: [email protected], PGP key: via homepage.
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
