+1
On Fri, May 12, 2017 at 2:51 PM, Brian Smith <[email protected]> wrote: > Hi, > > PKCS#1 1.5 signatures are obsolete. New specifications should not > mandate support for them. > > RSA signatures in general are difficult for some devices to process > due to their large size. It would be frustrating to have used a pure > ECC infrastructure with no RSA involved at all, only to need to > implement RSA for the purpose of verifying signatures from logs. Thus > I think the group should consider dropping any mention of RSA > signatures from section 10.4.so that log clients do not have to > implement RSA. > > If it really is important to have RSA signatures, then RSA PSS should > be used instead. In particular, it would be good to require the same > restricted form specified for TLS, where the same digest algorithm > must be used for all parts of the signature. Note that RSA PSS can be > made deterministic by using a fixed salt, and most implementations of > RSA PSS seem to support fixed salts if the salt length is set to zero. > As mentioned in the RSA PSS specification, PSS signatures are more > secure than PKCS#1 1.5 signatures even with a zero-length salt. > > Cheers, > Brian > -- > https://briansmith.org/ > > _______________________________________________ > Trans mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/trans >
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
