[cabfpub] RSA-PSS in TLS 1.3

Richard Barnes rbarnes at mozilla.com
Tue Mar 1 14:36:36 MST 2016 

Two corrections here:

1. The current debate in TLS [1] is not about certificates, it's about the
authentication signature in TLS, i.e., the signature by which the remote
party proves control of the private key corresponding to the public key in
the certificate.  The invocation of CABF is peripheral to the discussion.
Certificate validation and algorithms for signing certs are not germane to
the TLS WG.

2. NSS has full support for RSA-PSS as an algorithm [2], but it has not
been plumbed through to the mozilla::pkix library used by Firefox, or the
path building libraries included in NSS.  There is a bug open to add it to
mozilla::pkix [3].

[1] https://mailarchive.ietf.org/arch/msg/tls/1Os5H_4Njnj2mxT5Djs7PNvyN1A
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1215295
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1088140

On Tue, Mar 1, 2016 at 3:54 PM, Ryan Sleevi <sleevi at google.com> wrote:

> NSS doesn't support them, so that's a decent chunk of Firefox and Chrome
> (OS, Linux, iOS) users.
>
> On Tue, Mar 1, 2016 at 12:52 PM, Rick Andrews <Rick_Andrews at symantec.com>
> wrote:
>
>> Peter, no, nothing in the BRs forbids PSS. For all I know there may be
>> CAs issuing certs with PSS signatures. But I don't think anyone has done a
>> survey of browser and server support.
>>
>> -Rick
>>
>> > On Mar 1, 2016, at 12:49 PM, Peter Bowen <pzb at amzn.com> wrote:
>> >
>> > Rick,
>> >
>> > One clarification related specifically to CA/Browser Forum:
>> >
>> > I do not see anything in the BRs that requires or forbids RSASSA-PSS.
>> Is there anything that prevents public CAs from issuing certificates with
>> RSASSA-PSS (e.g RFC 4055/5756) signatures?
>> >
>> > Thanks,
>> > Peter
>> >
>> >> On Mar 1, 2016, at 12:12 PM, Rick Andrews <rick_andrews at symantec.com>
>> wrote:
>> >>
>> >> I'm cross-posting in case others want to participate in this
>> discussion on
>> >> the IETF TLS Working Group. They're having a debate on whether TLS 1.3
>> >> should allow or require RSA-PSS signatures on TLS certificates.
>> >>
>> >> It would be better to have the debate there instead of here, but I will
>> >> cross-post if anyone has a burning need to share but not join the WG.
>> >>
>> >> -Rick
>> >>
>> >> ----------------------------------------------------------------------
>> >>
>> >> Message: 1
>> >> Date: Tue, 1 Mar 2016 21:20:39 +0200
>> >> From: Yoav Nir <ynir.ietf at gmail.com>
>> >> To: Alyssa Rowan <akr at akr.io>
>> >> Cc: tls at ietf.org
>> >> Subject: Re: [TLS] RSA-PSS in TLS 1.3
>> >> Message-ID: <BBA8149E-114A-49D3-8159-A87ADB545482 at gmail.com>
>> >> Content-Type: text/plain; charset=utf-8
>> >>
>> >>
>> >> On 1 Mar 2016, at 8:23 PM, Alyssa Rowan <akr at akr.io> wrote:
>> >>
>> >>>> [YN] It would be cool to ban PKCS#1.5 from certificates, but we are
>> >>>> not the PKIX working group. Nor are we the CA/Browser forum.
>> >>>> When a CA issues a certificate it has to work with every client and
>> >>>> server out there, When we use TLS 1.3, the other side supports TLS
>> >>>> 1.3 as well, so it?s fair to assume that it knows PSS.
>> >>>
>> >>> Perhaps the PKIX working group and CAB/Forum could both use a friendly
>> >>> reminder not to ignore how perilous using RSA PKCS#1 v1.5 still
>> remains?
>> >>
>> >> Neither you nor I can post in any of the CA/Browser forum?s lists,
>> because
>> >> neither of us has either a browser or a public CA.
>> >>
>> >> There are some people who are active there and are reading this list,
>> so
>> >> they might take such a proposal there. I?m not very optimistic, though.
>> >> While only CAs and browsers are members, they are keenly aware that
>> even the
>> >> public CAs have a wide variety of relying parties, running all sorts of
>> >> software. And it?s much harder to scan clients than it is to scan
>> servers,
>> >> so it?s difficult to say how many clients will not be able to connect
>> to a
>> >> server with a certificate signed with RSA-PSS. Probably far too many
>> for the
>> >> CA/BF to be comfortable deprecating PKCS#1.
>> >>
>> >> The PKIX working group has shut down several years ago. The Curdle WG
>> is a
>> >> new working group whose charter includes deprecating obsolete stuff.
>> Perhaps
>> >> they might be interested.
>> >>
>> >> Yoav
>> >>
>> >>
>> >> _______________________________________________
>> >> Public mailing list
>> >> Public at cabforum.org
>> >> https://cabforum.org/mailman/listinfo/public
>> >
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160301/9854d792/attachment.html

More information about the Public mailing list