> Well, we've been thinking specifically about whether to recommend PSS
for TLS 1.2 implementations and deployments. Naturally you get PSS for
free if you've upgraded to TLS 1.3, but do we want to say that if you
haven't upgraded to TLS 1.3 yet you should update your TLS 1.2
implementation or deployment to add PSS?
No, don't. It's highly unlike that the TLS 1.2 code will be updated to review
and check the extra PSS parameters, so it gives you no additional security.
(It's not clear that many TLS 1.3 implementations do that either)
I find this argument by Peter Gutmann from November 2019 compelling:
https://www.metzdowd.com/pipermail/cryptography/2019-November/035449.html
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
