On 01/03/2016 11:32, Yoav Nir wrote: >> On 1 Mar 2016, at 6:56 AM, Martin Thomson <martin.thom...@gmail.com> wrote: >> >> On 1 March 2016 at 04:32, Joseph Salowey <j...@salowey.net> wrote: >>> We make RSA-PSS mandatory to implement (MUST implement instead of MUST >>> offer). Clients can advertise support for PKCS-1.5 for backwards >>> compatibility in the transition period. >> >>> From my perspective, this is fine. I would like to say that we won't >> ever support PKCS#1.5 for TLS 1.3, but I think that I would rather >> have users on 1.3 with PKCS#1.5 than have them stuck on 1.2. >> >> It seems like others are taking the position that we should say "MUST >> NOT use PKCS#1.5”. > > I’d go even further. I’d remove the rsapss(4) value from SignatureAlgorithm, > leaving just rsa(1), and say that in TLS 1.3 an RSA signature is PSS just as > it was PKCS#1.5 in TLS 1.2.
I strongly agree to Yoav's proposal! No need to have both RSA(-PKCS) and RSA-PSS numbers in SignatureAlgorithms. hannes _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
