I have a question on RFC5246 (TLS 1.2) and how it’s going to interact with RSASSA-PSS as we roll out TLS 1.3. Does the prohibition against RSASSA-PSS apply only to the signatures that can be used for signing handshakes or does it apply to the entire certificate chain as well? I ask because while I think the latter may have been the intent I have not found anything that indicates the former is not actually what the RFCs require.
The relevant section of RFC4056 reads: 7.4.2 Server Certificate … Note that there are certificates that use algorithms and/or algorithm combinations that cannot be currently used with TLS. For example, a certificate with RSASSA-PSS signature key (id-RSASSA-PSS OID in SubjectPublicKeyInfo) cannot be used because TLS defines no corresponding signature algorithm. I don’t see anything here that restricts which signatures can be used on the certificates themselves. Is that accurate? If so, then I think the relevant restrictions are not in TLS RFCs at all, but rather are in RFCs such as 4055, 4056, and 5756. These RFCs allow RSASSA-PSS. Is it therefore permissible to have a CA that is signed with RSASSA-PSS with TLS 1.0, 1.1, or 1.2. Is this what was intended? Thanks, Tim
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls