You want to separate the use of PSS in the protocol from PSS in certificates.
Right now, certificates do not routinely include SPKI with PSS OIDs or PSS
signatures. Those are poorly supported. For example, in Firefox we have most
of the necessary support, but our certificate validation library - the last
link - is yet to be updated (or it has only very recently been updated; I'd
need to check).
Support for PSS in the protocol is different. However, most TLS 1.2
implementations will have PSS support by virtue of having a TLS 1.3
implementation. If both client and server support PSS, then there is a good
chance that they both support TLS 1.3. The same logic applies to
signature_algorithms_cert (which is also not as widely supported as you might
like; NSS doesn't have complete support for that just yet). Maybe you can see
where I'm going ...
On Fri, Oct 22, 2021, at 09:26, Peter Saint-Andre wrote:
> In our work on 7525bis, we've identified an issue with RSASSA-PSS,
> specifically whether it should be recommended for TLS 1.2.
>
> Section 4.2.3 of RFC 8446 states:
>
> The "signature_algorithms_cert" extension was added to allow
> implementations which supported different sets of algorithms for
> certificates and in TLS itself to clearly signal their capabilities.
> TLS 1.2 implementations SHOULD also process this extension.
>
> And, later in the same section, says (non-normatively):
>
> In TLS 1.2, RSASSA-PSS is used with RSA cipher suites.
>
> This seem to say that support for the extension is RECOMMENDED, but it
> doesn't say that support for RSASSA-PSS itself is RECOMMENDED.
> (Naturally this is for TLS 1.2 - the algorithm is definitively
> RECOMMENDED for TLS 1.3.)
>
> What is the sense of the WG about saying in 7525bis that support for
> RSASSA-PSS should or should not be RECOMMENDED for TLS 1.2?
>
> It's our impression that RSASSA-PSS might help interop in a situation
> like this:
>
> - client can do 1.3 and 1.2
> - server can do 1.2
> - server has a PSS-OID cert
> - server can parse signature_algorithms_cert
> - client sends CH with versions = {1.3, 1.2} and
> signature_algorithms_cert = { RSAPSS, ... }
> - server accepts 1.2 and sends the PSS-OID cert
> - client verifies and session continues happily
>
> Feedback is welcome.
>
> Peter, Thomas, Yaron
>
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
