On Wed, Feb 08, 2017 at 07:34:16PM +0000, Timothy Jackson wrote: > I have a question on RFC5246 (TLS 1.2) and how it’s going to interact with > RSASSA-PSS as we roll out TLS 1.3. Does the prohibition against RSASSA-PSS > apply only to the signatures that can be used for signing handshakes or > does it apply to the entire certificate chain as well? I ask because while > I think the latter may have been the intent I have not found anything that > indicates the former is not actually what the RFCs require. > > The relevant section of RFC4056 reads: > > 7.4.2 Server Certificate > … > Note that there are certificates that use algorithms and/or algorithm > combinations that cannot be currently used with TLS. For example, a > certificate with RSASSA-PSS signature key (id-RSASSA-PSS OID in > SubjectPublicKeyInfo) cannot be used because TLS defines no > corresponding signature algorithm. > > I don’t see anything here that restricts which signatures can be used on > the certificates themselves. Is that accurate? If so, then I think the > relevant restrictions are not in TLS RFCs at all, but rather are in RFCs > such as 4055, 4056, and 5756. These RFCs allow RSASSA-PSS. Is it > therefore permissible to have a CA that is signed with RSASSA-PSS with > TLS 1.0, 1.1, or 1.2. > > Is this what was intended?
My interpretation: If client includes RSA-PSS codepoints in its signature_algorithms, then: - The server handshake signature MAY be signed using RSA-PSS in TLS 1.2 or later. Yes, 1.2, not 1.3. - The certificate chain MAY contain certificates signed with RSA-PSS in any TLS version (however, the salt length must match hash length). In converse case: - The server MUST NOT sign handshake using RSA-PSS in any TLS version - The certificate chain SHOULD NOT contain certificates signed with RSA-PSS in any TLS version. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
