On Monday, August 8, 2016, Martin Rex wrote:
>
> The urban myth about the advantages of the RSA-PSS signature scheme
> over PKCS#1 v1.5 keep coming up.
>
Do you think we'll see real-world MitM attacks against RSA-PSS in TLS
similar to those we've seen with PKCS#1v1.5 signature
Martin Rex wrote:
> The urban myth about the advantages of the RSA-PSS signature scheme
> over PKCS#1 v1.5 keep coming up.
PKCS#1 v1.5 is a partial-domain scheme, not a full-domain scheme. So,
RSA-PSS (without a salt, or with a fixed salt) might still have an
advantage over PKCS#1
> Is that limited, so limited today? Aren't we at a time where the majority of
> servers will use an HSM (either real hardware or virtualized)?
Without even defining "virtualized HSM" the answer is no.
___
TLS mailing list
TLS@ietf.org
On Mon, 2016-08-08 at 14:55 +0200, Martin Rex wrote:
> > Please see the paper "Another Look at ``Provable Security''" from
> > Neal
> > Koblitz and Alfred Menezes.
> >
> > https://eprint.iacr.org/2004/152
> >
> > Section 7: Conclusion
> >
> > "There is no need for the PSS or Katz-Wang versions
Hanno Böck wrote:
>
> Actually there is some info on that in the PSS spec [1]. What I write
> here is my limited understanding, but roughly I'd interpret it as this:
> It says that if you use a non-random salt the security gets reduced to
> the security of full domain hashing, which was kinda the
On Mon, 2016-08-08 at 11:28 +0300, Ilari Liusvaara wrote:
> On Mon, Aug 08, 2016 at 10:17:40AM +0200, Nikos Mavrogiannopoulos
> wrote:
> >
> > Hello,
> > I'm reading the "Pre-Shared Key Extension" section of the TLS 1.3
> > draft [0], and I noticed quite some deviations (IMO) from typical
> >
On Mon, Aug 08, 2016 at 10:17:40AM +0200, Nikos Mavrogiannopoulos wrote:
> Hello,
> I'm reading the "Pre-Shared Key Extension" section of the TLS 1.3
> draft [0], and I noticed quite some deviations (IMO) from typical TLS
> protocol behavior. No rationale is given about them so I ask on list.
>
Hello,
I'm reading the "Pre-Shared Key Extension" section of the TLS 1.3
draft [0], and I noticed quite some deviations (IMO) from typical TLS
protocol behavior. No rationale is given about them so I ask on list.
To summarize, the client sends a list of identitities and the server
replies with
On 8 August 2016 at 16:14, Ilari Liusvaara wrote:
> In 2, I would imagine the context is probably usually a sequence
> number of some kind.
The draft defines some rules for construction of identifiers that
prevent collisions and the like.
>> Good question. Errors in
On Mon, Aug 08, 2016 at 11:19:39AM +1000, Martin Thomson wrote:
> On 7 August 2016 at 03:26, Ilari Liusvaara wrote:
>
> > Can applications specify and receive the context values used? E.g.
> > to act as handles to refer to the resulting authority objects
> > (HTTP/2
10 matches
Mail list logo