On 9 February 2017 at 08:17, Ilari Liusvaara <[email protected]> wrote: > If client includes RSA-PSS codepoints in its signature_algorithms, > then: > > - The server handshake signature MAY be signed using RSA-PSS in TLS > 1.2 or later. Yes, 1.2, not 1.3. > - The certificate chain MAY contain certificates signed with RSA-PSS > in any TLS version (however, the salt length must match hash length).
This is consistent with TLS 1.3 (and the discussion we had on the same subject previously). RSASSA-PSS algorithms: Indicates a signature algorithm using RSASSA-PSS [RFC3447] with mask generation function 1. The digest used in the mask generation function and the digest being signed are both the corresponding hash algorithm as defined in [SHS]. When used in signed TLS handshake messages, the length of the salt MUST be equal to the length of the digest output. This codepoint is also defined for use with TLS 1.2. _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
