On 25/04/2017 15:36, Benjamin Kaduk wrote: > On 04/25/2017 07:08 AM, Dr Stephen Henson wrote: >> On 18/02/2017 02:31, Dr Stephen Henson wrote: >>> Does this apply to RSASSA-PSS (RSA-PSS signing only) keys in end entity >>> certificates too? >>> >>> For example could a TLS 1.2 server legally present a certificate containing >>> an >>> RSASSA-PSS key for an appropriate ciphersuite? Similarly could a client >>> present >>> a certificate contain an RSASSA-PSS key? >>> >> I can't recall getting a definitive answer to this. IMHO we should make the >> requirements clear in the spec otherwise we could get interop issues. >> >> Based on the opinions stated in this thread that would be: >> >> 1. When PSS signatures appear certificates, MGF digest and signing digest >> MUST >> match and the salt length must equal the digest length. > > We have (in section 4.2.3, Signature Algorithms): > > RSASSA-PSS algorithms Indicates a signature algorithm using RSASSA- > PSS [RFC3447 <https://tools.ietf.org/html/rfc3447>] with mask > generation function 1. The digest used in > the mask generation function and the digest being signed are both > the corresponding hash algorithm as defined in [SHS > <https://tools.ietf.org/html/draft-ietf-tls-tls13-19#ref-SHS>]. When used > in signed TLS handshake messages, the length of the salt MUST be > equal to the length of the digest output. This codepoint is also > defined for use with TLS 1.2. > > > Is the concern that this is insufficiently clearly indicated as placing > requirements on signatures of certificates as opposed to signatures of TLS > data structures? >
Yes that's my concern. Supporting PSS signatures on certificates is a mandatory requirement and I think we should be very clear about the parameters we permit. The above paragraph says nothing about salt length limitations on signatures on certificates. We could have a situation where one implementation enforces the salt length to be equal to the digest length (and rejects everything else) and another will allow any valid length. > > >> 2. Indicate that the PSS only (id-RSASSA-PSS) and RSA (rsaEncryption) keys >> MUST >> be supported both as server keys and CA keys in certificates. > > Similarly to (1), I believe that it is possible to read the existing > (draft-19) > text as making these requirements already, so is the concern that the text > needs > to be more clear? > Yes. id-RSASSA-PSS isn't mentioned anywhere in the spec. If we require implementations to support this I think we should be explicit about it. We might want to refer to RFC5756/RFC4055 which document the syntax. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.co.uk/ Email: [email protected], PGP key: via homepage. _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
