On 04/25/2017 07:08 AM, Dr Stephen Henson wrote:
> On 18/02/2017 02:31, Dr Stephen Henson wrote:
>> Does this apply to RSASSA-PSS (RSA-PSS signing only) keys in end entity
>> certificates too?
>>
>> For example could a TLS 1.2 server legally present a certificate containing
>> an
>> RSASSA-PSS key for an appropriate ciphersuite? Similarly could a client
>> present
>> a certificate contain an RSASSA-PSS key?
>>
> I can't recall getting a definitive answer to this. IMHO we should make the
> requirements clear in the spec otherwise we could get interop issues.
>
> Based on the opinions stated in this thread that would be:
>
> 1. When PSS signatures appear certificates, MGF digest and signing digest MUST
> match and the salt length must equal the digest length.
We have (in section 4.2.3, Signature Algorithms):
RSASSA-PSS algorithms Indicates a signature algorithm using RSASSA-
PSS [RFC3447 <https://tools.ietf.org/html/rfc3447>] with mask generation
function 1. The digest used in
the mask generation function and the digest being signed are both
the corresponding hash algorithm as defined in [SHS
<https://tools.ietf.org/html/draft-ietf-tls-tls13-19#ref-SHS>]. When used
in signed TLS handshake messages, the length of the salt MUST be
equal to the length of the digest output. This codepoint is also
defined for use with TLS 1.2.
Is the concern that this is insufficiently clearly indicated as placing
requirements on signatures of certificates as opposed to signatures of TLS data
structures?
> 2. Indicate that the PSS only (id-RSASSA-PSS) and RSA (rsaEncryption) keys
> MUST
> be supported both as server keys and CA keys in certificates.
Similarly to (1), I believe that it is possible to read the existing
(draft-19) text as making these requirements already, so is the concern
that the text needs to be more clear?
> 3. PSS only keys MUST be supported for TLS 1.2 also.
>
Section 1.3, "Updates Affecting TLS 1.2" notes:
[...]
- RSASSA-PSS signature schemes are defined in Section 4.2.3
<https://tools.ietf.org/html/draft-ietf-tls-tls13-19#section-4.2.3>.
An implementation of TLS 1.3 that also supports TLS 1.2 might need to
include changes to support these changes even when TLS 1.3 is not in
use. See the referenced sections for more details.
-Ben
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
