Hi, PKCS#1 1.5 signatures are obsolete. New specifications should not mandate support for them.
RSA signatures in general are difficult for some devices to process due to their large size. It would be frustrating to have used a pure ECC infrastructure with no RSA involved at all, only to need to implement RSA for the purpose of verifying signatures from logs. Thus I think the group should consider dropping any mention of RSA signatures from section 10.4.so that log clients do not have to implement RSA. If it really is important to have RSA signatures, then RSA PSS should be used instead. In particular, it would be good to require the same restricted form specified for TLS, where the same digest algorithm must be used for all parts of the signature. Note that RSA PSS can be made deterministic by using a fixed salt, and most implementations of RSA PSS seem to support fixed salts if the salt length is set to zero. As mentioned in the RSA PSS specification, PSS signatures are more secure than PKCS#1 1.5 signatures even with a zero-length salt. Cheers, Brian -- https://briansmith.org/ _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
