+1 for switching to RSA PSS. I don't have any insight into why RSA was originally in 6962, so can't argue strongly in favour of keeping it.
On Fri, May 12, 2017 at 8:18 PM, Richard Barnes <[email protected]> wrote: > +1 > > > On Fri, May 12, 2017 at 2:51 PM, Brian Smith <[email protected]> wrote: > >> Hi, >> >> PKCS#1 1.5 signatures are obsolete. New specifications should not >> mandate support for them. >> >> RSA signatures in general are difficult for some devices to process >> due to their large size. It would be frustrating to have used a pure >> ECC infrastructure with no RSA involved at all, only to need to >> implement RSA for the purpose of verifying signatures from logs. Thus >> I think the group should consider dropping any mention of RSA >> signatures from section 10.4.so that log clients do not have to >> implement RSA. >> >> If it really is important to have RSA signatures, then RSA PSS should >> be used instead. In particular, it would be good to require the same >> restricted form specified for TLS, where the same digest algorithm >> must be used for all parts of the signature. Note that RSA PSS can be >> made deterministic by using a fixed salt, and most implementations of >> RSA PSS seem to support fixed salts if the salt length is set to zero. >> As mentioned in the RSA PSS specification, PSS signatures are more >> secure than PKCS#1 1.5 signatures even with a zero-length salt. >> >> Cheers, >> Brian >> -- >> https://briansmith.org/ >> >> _______________________________________________ >> Trans mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/trans >> > > > _______________________________________________ > Trans mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/trans > >
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
