On Saturday, 18 February 2017 18:22:23 CET Dr Stephen Henson wrote: > On 18/02/2017 16:26, Viktor Dukhovni wrote: > > On Sat, Feb 18, 2017 at 02:31:19AM +0000, Dr Stephen Henson wrote: > >> For example could a TLS 1.2 server legally present a certificate > >> containing an RSASSA-PSS key for an appropriate ciphersuite? Similarly > >> could a client present a certificate contain an RSASSA-PSS key? > > > > Isn't an RSA public key independent of the signature algorithms it > > might be employed with? If the EE cert has an RSA key, and RSA-PSS > > is not negotiated, can't the peer (client or server) just sign with > > PKCS#1? So the same EE cert would then be valid for either PSS or > > PKCS#1? Or have I missed the memo on how PSS works with EE certs? > > The most commonly deployed certificates containing RSA keys use > rsaEncryption (1 2 840 113549 1 1 1). For those the key can be used for > PKCS#1 and PSS. > > There is however a second OID id-RSASSA-PSS defined in RFC4055 et al. With > that OID the key can only be legally used for PSS (with possible additional > restrictions) and not PKCS#1. That algorithm OID in EE certs was unusable > for TLS before 1.3 as the signature was always PKCS#1. As a result very few > such certificates have been seen in the wild, but (as mentioned in other > threads) they MUST be supported in TLS 1.3 (rsa_pss_sha256 is a mandatory > algorithm).
sorry for the slight off-topic: how can you create such certificates with openssl command line util? -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls