On 18/02/2017 16:26, Viktor Dukhovni wrote: > On Sat, Feb 18, 2017 at 02:31:19AM +0000, Dr Stephen Henson wrote: > >> >> For example could a TLS 1.2 server legally present a certificate containing >> an >> RSASSA-PSS key for an appropriate ciphersuite? Similarly could a client >> present >> a certificate contain an RSASSA-PSS key? > > Isn't an RSA public key independent of the signature algorithms it > might be employed with? If the EE cert has an RSA key, and RSA-PSS > is not negotiated, can't the peer (client or server) just sign with > PKCS#1? So the same EE cert would then be valid for either PSS or > PKCS#1? Or have I missed the memo on how PSS works with EE certs? >
The most commonly deployed certificates containing RSA keys use rsaEncryption (1 2 840 113549 1 1 1). For those the key can be used for PKCS#1 and PSS. There is however a second OID id-RSASSA-PSS defined in RFC4055 et al. With that OID the key can only be legally used for PSS (with possible additional restrictions) and not PKCS#1. That algorithm OID in EE certs was unusable for TLS before 1.3 as the signature was always PKCS#1. As a result very few such certificates have been seen in the wild, but (as mentioned in other threads) they MUST be supported in TLS 1.3 (rsa_pss_sha256 is a mandatory algorithm). My question was whether this implied TLS 1.2 implementations (that include PSS in the signature algorithms extension) must support them too. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.co.uk/ Email: shen...@drh-consultancy.co.uk, PGP key: via homepage. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls