On Fri, Jan 20, 2017 at 05:43:21PM +0000, Dr Stephen Henson wrote: > Draft 18 says: > > RSASSA-PSS algorithms Indicates a signature algorithm using RSASSA- > PSS [RFC3447] with MGF1. The digest used in the mask generation > function and the digest being signed are both the corresponding > hash algorithm as defined in [SHS]. When used in signed TLS > handshake messages, the length of the salt MUST be equal to the > length of the digest output. This codepoint is defined for use > with TLS 1.2 as well as TLS 1.3. > > What are the requirements for certificates when these RSSSA-PSS is used?
AFAIK, no special requirements. > The text above indicates the salt length for TLS messages. There are no > restrictions placed on certificate signature salt lengths. Does this mean that > any valid salt length (from 0 to the maximum permitted) must be supported? Well, the code I have written enforces the salt length restriction also on any possible RSA-PSS certificates in chain. This comes from not even having RSA-PSS validation code that could deal with arbitrary salt length. > Additionally PSS signatures (see RFC4055) can be used with RSA keys > (rsaEncryption OID) and RSA-PSS only keys (id-RSASSA-PSS OID). Does the > RSASSA-PSS mean that both types must be accepted? I don't think you will see the latter outside some test sites for a while... But hmm, I think I should implement RSA-PSS only keys in some of my stuff... -Ilari _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
