On 1 March 2016 at 16:06, Viktor Dukhovni wrote:
>> It is much easier to mandate PSS in TLS 1.3 now, than to remove it
>> later. Servers that can't do PSS will use TLS 1.2. This avoids
>> a break-the-web day.
>
> Sorry, ... than to remove *PKCS#1.5* later ...
Yes, this is true for some people,
On Mon, 2016-02-29 at 09:32 -0800, Joseph Salowey wrote:
> We seem to have good consensus on moving to RSA-PSS and away from
> PKCS-1.5 in TLS 1.3. However, there is a problem that it may take
> some hardware implementations some time to move to RSA-PSS. After an
> off list discussion with a few
> On 1 Mar 2016, at 6:56 AM, Martin Thomson wrote:
>
> On 1 March 2016 at 04:32, Joseph Salowey wrote:
>> We make RSA-PSS mandatory to implement (MUST implement instead of MUST
>> offer). Clients can advertise support for PKCS-1.5 for backwards
>> compatibility in the transition period.
>
>>
> On 1 Mar 2016, at 6:52 AM, Andrey Jivsov wrote:
>
> On 02/29/2016 02:36 PM, Hanno Böck wrote:
>> We have an RFC for PSS since 2003.
>> We had several attacks showing the weakness of PKCS #1 1.5.
>
> In the face of such danger, what's your opinion on PKCS #1.5 signatures being
> perfectly fin
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 2016-03-01 11:35, Yoav Nir wrote:
>>> [HB] We have an RFC for PSS since 2003. We had several attacks
>>> showing the weakness of PKCS #1 1.5.
And so (maybe not entirely coincidentally!): another attack, dubbed
DROWN, just emerged¹, using SSLv2
On Mar 1, 2016 10:23 AM, "Alyssa Rowan" wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On 2016-03-01 11:35, Yoav Nir wrote:
>
> >>> [HB] We have an RFC for PSS since 2003. We had several attacks
> >>> showing the weakness of PKCS #1 1.5.
>
> And so (maybe not entirely coincidenta
On Tue, Mar 01, 2016 at 10:26:35AM -0800, Watson Ladd wrote:
> > And so (maybe not entirely coincidentally!): another attack, dubbed
> > DROWN, just emerged¹, using SSLv2 as - you guessed it - a
> > Bleichenbacher padding oracle against RSA PKCS#1 v1.5!
>
> PSS doesn't help against Bleichenbacher
On 1 Mar 2016, at 8:23 PM, Alyssa Rowan wrote:
> > [YN] It would be cool to ban PKCS#1.5 from certificates, but we
> > are not the PKIX working group. Nor are we the CA/Browser forum.
> > When a CA issues a certificate it has to work with every client
> > and server out there, When we use TLS 1.
On Tue, 1 Mar 2016 18:23:25 +
Alyssa Rowan wrote:
> And so (maybe not entirely coincidentally!): another attack, dubbed
> DROWN, just emerged¹, using SSLv2 as - you guessed it - a
> Bleichenbacher padding oracle against RSA PKCS#1 v1.5!
To be fair, the issues surrounding RSA encryption are d
All,
After completing the early code point assignment process, IANA has added the
following values to the Supported Groups Registry:
29 ecdh_x25519
30 ecdh_x448
You can see the entries here:
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
spt
PS
All,
IANA has assigned code points for draft-ietf-tls-chacha20-poly1305. They can
be found in the following registry:
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
Authors,
Feel free to update your draft to reflect just the assigned numbers, which
happe
OK, I’ve created a pull request to update 4492bis.
https://github.com/tlswg/rfc4492bis/pull/20
There’s still the curves for EDDSA that are not yet assigned.
Yoav
> On 2 Mar 2016, at 12:23 AM, Sean Turner wrote:
>
> All,
>
> After completing the early code point assignment process, IANA has ad
On 2 March 2016 at 05:38, Viktor Dukhovni wrote:
> Yes, fortunately TLS 1.3 eliminates RSA key transport.
It does not. It just doesn't *use* RSA key transport. That's the
unfortunate part. Hence the call for key separation.
___
TLS mailing list
TLS@
On 03/01/2016 11:20 AM, Yoav Nir wrote:
On 1 Mar 2016, at 8:23 PM, Alyssa Rowan wrote:
[YN] It would be cool to ban PKCS#1.5 from certificates, but we
are not the PKIX working group. Nor are we the CA/Browser forum.
When a CA issues a certificate it has to work with every client
and server ou
Hi Ilari,
Thank you for your kind comments. We will try to commented cases.
Regards,
Shin’ichiro Matsuo
> On Feb 25, 2016, at 12:11 PM, Ilari Liusvaara
> wrote:
>
> On Thu, Feb 25, 2016 at 08:05:58AM -0800, Shin'ichiro Matsuo wrote:
>
>>
>> -
>>
>> [Wha
On Mon, Feb 29, 2016 at 6:45 AM, Sean Turner wrote:
> At the TRON workshop [0], we (Joe and Sean) were asked to provide our views
> about the status and timeline for TLS 1.3; we wanted to share the same
> information with the WG.
>
> Before that though, we want to thank the researchers for the t
On Tue, Mar 1, 2016 at 6:42 PM, Watson Ladd wrote:
> On Mon, Feb 29, 2016 at 6:45 AM, Sean Turner wrote:
> > At the TRON workshop [0], we (Joe and Sean) were asked to provide our
> views about the status and timeline for TLS 1.3; we wanted to share the
> same information with the WG.
> >
> > Bef
On 2 March 2016 at 13:55, Eric Rescorla wrote:
> I think a "safer" profile of TLS, as in "implement the following features
> (section XXX, YYY) and not the following (section ZZZ)" then that seems like
> something that might potentially be a useful exercise. Depending on length,
> this might event
On Tue, Mar 1, 2016 at 7:01 PM, Martin Thomson wrote:
> On 2 March 2016 at 13:55, Eric Rescorla wrote:
>> I think a "safer" profile of TLS, as in "implement the following features
>> (section XXX, YYY) and not the following (section ZZZ)" then that seems like
>> something that might potentially b
On Tue, Mar 1, 2016 at 7:01 PM, Martin Thomson
wrote:
> On 2 March 2016 at 13:55, Eric Rescorla wrote:
> > I think a "safer" profile of TLS, as in "implement the following features
> > (section XXX, YYY) and not the following (section ZZZ)" then that seems
> like
> > something that might potenti
On 2 March 2016 at 14:39, Eric Rescorla wrote:
>
> Reading this over, I wonder if we're talking about the same thing. It's
> probably my fault for
> using the word "self-contained" here, so in the interest of clarifying, what
> I meant here was
> "separate".
Yes, separate was my thought.
> Spec
> On 2 Mar 2016, at 3:03 AM, Andrey Jivsov wrote:
>
> On 03/01/2016 11:20 AM, Yoav Nir wrote:
>>
>> On 1 Mar 2016, at 8:23 PM, Alyssa Rowan wrote:
>>
[YN] It would be cool to ban PKCS#1.5 from certificates, but we
are not the PKIX working group. Nor are we the CA/Browser forum.
On Wed, Mar 02, 2016 at 08:37:46AM +0200, Yoav Nir wrote:
> Because this is a particular field that we control.
Which is in itself a reasonable argument for leaving legacy behind,
... but also because adaptive attacks are I think a greater potential
threat against interactive TLS than against a
23 matches
Mail list logo
