On 08/02/2017 21:17, Ilari Liusvaara wrote: > On Wed, Feb 08, 2017 at 07:34:16PM +0000, Timothy Jackson wrote: >> I have a question on RFC5246 (TLS 1.2) and how it’s going to interact with >> RSASSA-PSS as we roll out TLS 1.3. Does the prohibition against RSASSA-PSS >> apply only to the signatures that can be used for signing handshakes or >> does it apply to the entire certificate chain as well? I ask because while >> I think the latter may have been the intent I have not found anything that >> indicates the former is not actually what the RFCs require. >> >> The relevant section of RFC4056 reads: >> >> 7.4.2 Server Certificate >> … >> Note that there are certificates that use algorithms and/or algorithm >> combinations that cannot be currently used with TLS. For example, a >> certificate with RSASSA-PSS signature key (id-RSASSA-PSS OID in >> SubjectPublicKeyInfo) cannot be used because TLS defines no >> corresponding signature algorithm. >> >> I don’t see anything here that restricts which signatures can be used on >> the certificates themselves. Is that accurate? If so, then I think the >> relevant restrictions are not in TLS RFCs at all, but rather are in RFCs >> such as 4055, 4056, and 5756. These RFCs allow RSASSA-PSS. Is it >> therefore permissible to have a CA that is signed with RSASSA-PSS with >> TLS 1.0, 1.1, or 1.2. >> >> Is this what was intended? > > My interpretation: > > If client includes RSA-PSS codepoints in its signature_algorithms, > then: > > - The server handshake signature MAY be signed using RSA-PSS in TLS > 1.2 or later. Yes, 1.2, not 1.3. > - The certificate chain MAY contain certificates signed with RSA-PSS > in any TLS version (however, the salt length must match hash length). > > In converse case: > > - The server MUST NOT sign handshake using RSA-PSS in any TLS > version > - The certificate chain SHOULD NOT contain certificates signed with > RSA-PSS in any TLS version. >
Does this apply to RSASSA-PSS (RSA-PSS signing only) keys in end entity certificates too? For example could a TLS 1.2 server legally present a certificate containing an RSASSA-PSS key for an appropriate ciphersuite? Similarly could a client present a certificate contain an RSASSA-PSS key? Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.co.uk/ Email: [email protected], PGP key: via homepage. _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
