----- Original Message ----- > On Mon, Feb 06, 2017 at 01:12:05AM +0100, Nikos Mavrogiannopoulos wrote: > > > > The issue is that we cannot tell for sure. Any proof of security > > assumes that the keys are restricted to a single scheme. So I think we > > got into a trap where we intended to increase security, while in fact > > reduced the protocol's security, by ending-up adding RSA-PSS in a way > > that can share keys with PKCS#1 1.5. I think that we should treat RSA- > > PSS as the mean to increase security rather than the end-goal. > > Looking at the signature constructions, I would say it is _extremely_ > unlinkely that cross-protocol attacks are possible.
Isn't the whole purpose of moving to formally proved schemes, the fact that there is a proof of security? This support by TLS 1.3 invalidates this proof, thus making any reason to have RSASSA-PSS moot, (unless of course we have a proof that RSASSA-PSS when combined with RSA PKCS#1 1.5 is secure). regards, Nikos _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
