Martin Rex <m...@sap.com> wrote: > The urban myth about the advantages of the RSA-PSS signature scheme > over PKCS#1 v1.5 keep coming up.
PKCS#1 v1.5 is a partial-domain scheme, not a full-domain scheme. So, RSA-PSS (without a salt, or with a fixed salt) might still have an advantage over PKCS#1 v1.5 because it is a full-domain scheme. > The advantages of the RSA-PSS signature scheme are limited to situations > where the rightful owner of the private signing key is not supposed > to have access to the bits of the private key (i.e. key kept in hardware). RSA-PSS is the only (IETF) (proposed) standard for full-domain hashing we have for RSA, AFAIK. This is why I think it might still make sense to use it, in a deterministic fashion. Cheers, Brian -- https://briansmith.org/ _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls