On Thu, Jul 24, 2025, at 17:00, Sean Turner wrote:
> This is the working group last call for Legacy RSASSA-PKCS1-v1_5
> codepoints for TLS 1.3. Please review draft-ietf-tls-tls13-pkcs1 [1]
> and reply to this thread indicating if you think it is ready for
> publication or not. If you do not think it is ready please indicate
> why. This call will end on at 2359 UTC on 07 August 2024.
A few minor things:
> Clients SHOULD NOT negotiate them with keys that support RSASSA-PSS.
This is a "SHOULD NOT" without explanation, but I wonder if this could be a
"MUST NOT" instead. Validation of these will be possible because PSS is
mandatory to support.
> TLS implementations SHOULD disable these code points by default.
Another "SHOULD"; maybe the context is enough to cover the explanation, but it
might be worth adding some: "These algorithms are not safe to use in the
general case; see {{security}}."
> external fallbacks break TLS's security analysis and may introduce
> vulnerabilities [POODLE].
TLS 1.3 -> TLS 1.2 external fallbacks are (doubly) protected. Maybe not as
well as you might like, but I'm not sure that you need to elaborate this
particular point.
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
