> On 1 Mar 2016, at 6:52 AM, Andrey Jivsov <cry...@brainhub.org> wrote: > > On 02/29/2016 02:36 PM, Hanno Böck wrote: >> We have an RFC for PSS since 2003. >> We had several attacks showing the weakness of PKCS #1 1.5. > > In the face of such danger, what's your opinion on PKCS #1.5 signatures being > perfectly fine in TLS 1.3 ? I refer to signatures in X.509 certs in the > latest https://tools.ietf.org/html/draft-ietf-tls-tls13-11. > > Why not ban PKCS #1.5 altogether from TLS 1.3? It will not only make TLS 1.3 > more secure, but code simpler and footprint smaller. Besides, it's > reasonable: TLS 1.2 already allows PSS in X.509
It would be cool to ban PKCS#1.5 from certificates, but we are not the PKIX working group. Nor are we the CA/Browser forum. When a CA issues a certificate it has to work with every client and server out there, When we use TLS 1.3, the other side supports TLS 1.3 as well, so it’s fair to assume that it knows PSS. Yoav _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls