On 05/29/2018 10:13 PM, Martin Thomson wrote: > On Wed, May 30, 2018 at 2:53 PM Andrey Jivsov <cry...@brainhub.org> wrote: >> The quoted text quoted is old. The need to upgrade TLS 1.2 code if I >> support TLS 1.3 is new. > No, I'm certain we had that discussion too. > >> I am curious about the scenarios when is this upgrade of TLS 1.2 to PSS >> will take place? > When people deploy TLS 1.3. Which is happening already. You can avoid the > need as a server because a client willing to do TLS 1.2 will probably offer > RSASSA PKCS#1 v1.5 and you can rely on that being there. But yeah, clients > are going to have to suck it up. Here's the text, which I think is pretty > clear: > " > Implementations that advertise support for RSASSA-PSS (which is mandatory > in TLS 1.3), MUST be prepared to accept a signature using that scheme even > when TLS 1.2 is negotiated. "
Correct. That's the single paragraph that I think should not be there. As I asked in the previous message, what is a scenario when this paragraph helps? When will we see a fallback to TLS 1.2 AND upgrade of legacy PKCS#1.5 to PSS (within TLS 1.2)? Why such a server could not accept TLS 1.3 and use PSS there? _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls