Hi Yoav, or the servers must be provided with two certificates – one for TLS 1.2 and the other for TLS 1.3, that won’t make server owners happy.
I think it is a good idea to raise this issue in TLS WG. Regards, Valery. From: Yoav Nir Sent: 19 ноября 2016 г. 7:21 To: Tero Kivinen Cc: ipsec@ietf.org WG; Watson Ladd Subject: Re: [IPsec] Take a stand for key hygine > On 18 Nov 2016, at 5:38, Tero Kivinen <kivi...@iki.fi> wrote: > > Watson Ladd writes: >> I might be confused, but the slides in >> https://www.ietf.org/proceedings/97/slides/slides-97-ipsecme-signature-forms-ambiguity-in-ikev2-00.pdf >> seem to very clearly want something else. Apologies for my >> insufficient context inclusion. > > Yes, with RSA I think it might be quite common for people to use same > key for both RSA PKCS#1 v1.5 and RSA-PSS, and there is not really > anything we can do for that. If that is a problem, then it is more serious for TLS. TLS 1.2 has only PKCS#1. TLS 1.3 has only PSS. So a server that uses a single certificate with RSA for both versions (probably most servers in 1-2 years) will be producing both kinds of signatures from the same key. If that’s a problem, it should be raised during WGLC of TLS 1.3 (which si now) Yoav _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec