Re: [TLS] Is it possible for a client to offer TLS 1.3, but not be forced to support RSA PSS in TLS 1.2?

On Wed, May 30, 2018 at 4:03 PM Andrey Jivsov wrote: > > Implementations that advertise support for RSASSA-PSS (which is mandatory > > in TLS 1.3), MUST be prepared to accept a signature using that scheme even > > when TLS 1.2 is negotiated. " > Correct. That's the single paragraph that I think s

Re: [TLS] Is it possible for a client to offer TLS 1.3, but not be forced to support RSA PSS in TLS 1.2?

On 05/29/2018 10:13 PM, Martin Thomson wrote: > On Wed, May 30, 2018 at 2:53 PM Andrey Jivsov wrote: >> The quoted text quoted is old. The need to upgrade TLS 1.2 code if I >> support TLS 1.3 is new. > No, I'm certain we had that discussion too. > >> I am curious about the scenarios when is this u

Re: [TLS] Is it possible for a client to offer TLS 1.3, but not be forced to support RSA PSS in TLS 1.2?

On Wed, May 30, 2018 at 2:53 PM Andrey Jivsov wrote: > The quoted text quoted is old. The need to upgrade TLS 1.2 code if I > support TLS 1.3 is new. No, I'm certain we had that discussion too. > I am curious about the scenarios when is this upgrade of TLS 1.2 to PSS > will take place? When peo

Re: [TLS] Is it possible for a client to offer TLS 1.3, but not be forced to support RSA PSS in TLS 1.2?

On 05/29/2018 06:17 PM, Martin Thomson wrote: > On Wed, May 30, 2018 at 7:20 AM Andrey Jivsov wrote: >> The issue here is that some hardware devices don't implement RSA CRT >> method with PSS, because they hard-wide RSA, legacy padding, and CRT >> method in one operation. RSA PSS can still be done

Re: [TLS] Is it possible for a client to offer TLS 1.3, but not be forced to support RSA PSS in TLS 1.2?

On Wed, May 30, 2018 at 7:20 AM Andrey Jivsov wrote: > The issue here is that some hardware devices don't implement RSA CRT > method with PSS, because they hard-wide RSA, legacy padding, and CRT > method in one operation. RSA PSS can still be done, but only via a > general modexp operation, which

Re: [TLS] Is it possible for a client to offer TLS 1.3, but not be forced to support RSA PSS in TLS 1.2?

On 05/29/2018 01:58 PM, David Benjamin wrote: > On Tue, May 29, 2018 at 4:26 PM Andrey Jivsov > wrote: > > On 05/29/2018 01:07 PM, David Benjamin wrote: > > I'm not sure I follow this. So, in this scenario, you are the client. > > You wish to support TLS 1.

Re: [TLS] Is it possible for a client to offer TLS 1.3, but not be forced to support RSA PSS in TLS 1.2?

On Tue, May 29, 2018 at 01:26:27PM -0700, Andrey Jivsov wrote: > On 05/29/2018 01:07 PM, David Benjamin wrote: > > I'm not sure I follow this. So, in this scenario, you are the client. > > You wish to support TLS 1.3, which requires supporting RSA-PSS in TLS > > 1.3, and this is fine. You are able

Re: [TLS] Is it possible for a client to offer TLS 1.3, but not be forced to support RSA PSS in TLS 1.2?

On Tue, May 29, 2018 at 4:26 PM Andrey Jivsov wrote: > On 05/29/2018 01:07 PM, David Benjamin wrote: > > I'm not sure I follow this. So, in this scenario, you are the client. > > You wish to support TLS 1.3, which requires supporting RSA-PSS in TLS > > 1.3, and this is fine. You are able to verif

Re: [TLS] Is it possible for a client to offer TLS 1.3, but not be forced to support RSA PSS in TLS 1.2?

On 05/29/2018 01:07 PM, David Benjamin wrote: > I'm not sure I follow this. So, in this scenario, you are the client. > You wish to support TLS 1.3, which requires supporting RSA-PSS in TLS > 1.3, and this is fine. You are able to verify RSA-PSS signatures from > the server at TLS 1.3. > > At the

Re: [TLS] Is it possible for a client to offer TLS 1.3, but not be forced to support RSA PSS in TLS 1.2?

I'm not sure I follow this. So, in this scenario, you are the client. You wish to support TLS 1.3, which requires supporting RSA-PSS in TLS 1.3, and this is fine. You are able to verify RSA-PSS signatures from the server at TLS 1.3. At the same time, you still talk to some TLS 1.2 servers, so you

Re: [TLS] Is it possible for a client to offer TLS 1.3, but not be forced to support RSA PSS in TLS 1.2?

On 05/29/2018 12:42 PM, Benjamin Kaduk wrote: > On Tue, May 29, 2018 at 12:35:20PM -0700, Andrey Jivsov wrote: >> On 05/29/2018 12:13 PM, Benjamin Kaduk wrote: >>> On Tue, May 29, 2018 at 11:57:39AM -0700, Andrey Jivsov wrote: Greetings. TLS 1.3 draft in sec 4.2.3.  Signature Algorit

Re: [TLS] Is it possible for a client to offer TLS 1.3, but not be forced to support RSA PSS in TLS 1.2?

On Tue, May 29, 2018 at 12:35:20PM -0700, Andrey Jivsov wrote: > On 05/29/2018 12:13 PM, Benjamin Kaduk wrote: > > On Tue, May 29, 2018 at 11:57:39AM -0700, Andrey Jivsov wrote: > >> Greetings. > >> > >> TLS 1.3 draft in sec 4.2.3.  Signature Algorithms tells that if a client > >> wants to negotiat

Re: [TLS] Is it possible for a client to offer TLS 1.3, but not be forced to support RSA PSS in TLS 1.2?

On 05/29/2018 12:13 PM, Benjamin Kaduk wrote: > On Tue, May 29, 2018 at 11:57:39AM -0700, Andrey Jivsov wrote: >> Greetings. >> >> TLS 1.3 draft in sec 4.2.3.  Signature Algorithms tells that if a client >> wants to negotiate TLS 1.3, it must support an upgraded (and >> incompatible) version of TLS

Re: [TLS] Is it possible for a client to offer TLS 1.3, but not be forced to support RSA PSS in TLS 1.2?

On Tue, May 29, 2018 at 11:57:39AM -0700, Andrey Jivsov wrote: > Greetings. > > TLS 1.3 draft in sec 4.2.3.  Signature Algorithms tells that if a client > wants to negotiate TLS 1.3, it must support an upgraded (and > incompatible) version of TLS 1.2, the one that changes RFC 5246 to allow > RSA-P

[TLS] Is it possible for a client to offer TLS 1.3, but not be forced to support RSA PSS in TLS 1.2?

Greetings. TLS 1.3 draft in sec 4.2.3.  Signature Algorithms tells that if a client wants to negotiate TLS 1.3, it must support an upgraded (and incompatible) version of TLS 1.2, the one that changes RFC 5246 to allow RSA-PSS in sec. 7.4.1.4.1. Signature Algorithms. You might recall that the poss