-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2016-03-01 11:35, Yoav Nir wrote:
>>> [HB] We have an RFC for PSS since 2003. We had several attacks >>> showing the weakness of PKCS #1 1.5. And so (maybe not entirely coincidentally!): another attack, dubbed DROWN, just emerged¹, using SSLv2 as - you guessed it - a Bleichenbacher padding oracle against RSA PKCS#1 v1.5! (Please do stop me if you've heard this one before! <g>) >> [AJ] Why not ban PKCS #1.5 altogether from TLS 1.3? It will not >> only make TLS 1.3 more secure, but code simpler and footprint >> smaller. Besides, it's reasonable: TLS 1.2 already allows PSS in >> X.509 A very strong +1 as far as I'm concerned. > [YN] It would be cool to ban PKCS#1.5 from certificates, but we > are not the PKIX working group. Nor are we the CA/Browser forum. > When a CA issues a certificate it has to work with every client > and server out there, When we use TLS 1.3, the other side supports > TLS 1.3 as well, so it’s fair to assume that it knows PSS. Perhaps the PKIX working group and CAB/Forum could both use a friendly reminder not to ignore how perilous using RSA PKCS#1 v1.5 still remains? ___ [1] <https://drownattack.com/drown-attack-paper.pdf> - -- /akr -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJW1d4SAAoJEOyEjtkWi2t6kIQP/2Ziaeu2RGqHqV1Oa6dB0+Go iPbrrHe9C7l7yHxWfhur6ldGUnqAKyzhD5X0RHby0lbpXTcBFQjWPQ3shZE8CUV2 mM4N2UyoAu5w1kOkSvHImeWrtdOPDTBTZhwFJjzEHtLkri6+CXzKE82B94WfhX8/ ddQxg9uaV7eDEcW4um+vn0NG/+IuiJvfVTX7YtNj0yVSvEO7bm6/WRHsWV0FaQ+C HtNawk+KP966PLUPH1N6vBvhNpiZkMtv3QUsKbzAQDn8SPfXHWGy2CBxPLjtIv2w dTmY9dOxJsc7KswtM7DJQqx7azgeGAlLc8MV1PyXw1fIq2qtVI4Fk1+DNrMteC5B cNkez/nPwR01FFj3QV5OnbpcqIX1v9nmGrpDuFw+99xcMjgRrSRc3boclV8/H0PA k8XllkgmXj75TkqSkPV1YXVwOJAT65Uwke7tKHf4TwXSwz+qZVji+y8ZqZ7ACs2/ Pp3IrlNLuJUmFjE+p8zhhEQU6fQjEdkAxT/3KY8/1nKxlXByFVHu1p1jZk7aWBtw aSEDLCI4XKKAJ118yXRtHXxA7LGNujsBYCoSp1A4Rkce57Ea7iuVd4pmctbMgiTA g3UAb7cE4NflzRyQd1Gbycu6wenovj9bOD4HRdTuADRdfGpXv8HMEG+eOUuE7DHx Af4y+IDpfW7HTraWjiKX =iX03 -----END PGP SIGNATURE----- _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
