In our work on 7525bis, we've identified an issue with RSASSA-PSS,
specifically whether it should be recommended for TLS 1.2.
Section 4.2.3 of RFC 8446 states:
The "signature_algorithms_cert" extension was added to allow
implementations which supported different sets of algorithms for
certificates and in TLS itself to clearly signal their capabilities.
TLS 1.2 implementations SHOULD also process this extension.
And, later in the same section, says (non-normatively):
In TLS 1.2, RSASSA-PSS is used with RSA cipher suites.
This seem to say that support for the extension is RECOMMENDED, but it
doesn't say that support for RSASSA-PSS itself is RECOMMENDED.
(Naturally this is for TLS 1.2 - the algorithm is definitively
RECOMMENDED for TLS 1.3.)
What is the sense of the WG about saying in 7525bis that support for
RSASSA-PSS should or should not be RECOMMENDED for TLS 1.2?
It's our impression that RSASSA-PSS might help interop in a situation
like this:
- client can do 1.3 and 1.2
- server can do 1.2
- server has a PSS-OID cert
- server can parse signature_algorithms_cert
- client sends CH with versions = {1.3, 1.2} and
signature_algorithms_cert = { RSAPSS, ... }
- server accepts 1.2 and sends the PSS-OID cert
- client verifies and session continues happily
Feedback is welcome.
Peter, Thomas, Yaron
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta