> Well, we've been thinking specifically about whether to recommend PSS for TLS 1.2 implementations and deployments. Naturally you get PSS for free if you've upgraded to TLS 1.3, but do we want to say that if you haven't upgraded to TLS 1.3 yet you should update your TLS 1.2 implementation or deployment to add PSS?
No, don't. It's highly unlike that the TLS 1.2 code will be updated to review and check the extra PSS parameters, so it gives you no additional security. (It's not clear that many TLS 1.3 implementations do that either) I find this argument by Peter Gutmann from November 2019 compelling: https://www.metzdowd.com/pipermail/cryptography/2019-November/035449.html _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta