On Wed, May 30, 2018 at 4:03 PM Andrey Jivsov <cry...@brainhub.org> wrote: > > Implementations that advertise support for RSASSA-PSS (which is mandatory > > in TLS 1.3), MUST be prepared to accept a signature using that scheme even > > when TLS 1.2 is negotiated. "
> Correct. That's the single paragraph that I think should not be there. This has been discussed. The working group felt that it was worthwhile having support for PSS in TLS 1.2 and that they preferred not to add more codepoints to support that. The cost here is as you say: clients that offer 1.3 need to be able to handle PSS certs from a server. The cost for the alternative is to make the signature algorithm meaningful in TLS 1.3, which leaves us looking for a solution for 1.2 (yes, a new codepoint would achieve that). _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls