[cabfpub] RSA-PSS in TLS 1.3

Peter Bowen pzb at amzn.com
Tue Mar 1 20:49:02 UTC 2016


One clarification related specifically to CA/Browser Forum: 

I do not see anything in the BRs that requires or forbids RSASSA-PSS.  Is there anything that prevents public CAs from issuing certificates with RSASSA-PSS (e.g RFC 4055/5756) signatures?


> On Mar 1, 2016, at 12:12 PM, Rick Andrews <rick_andrews at symantec.com> wrote:
> I'm cross-posting in case others want to participate in this discussion on
> the IETF TLS Working Group. They're having a debate on whether TLS 1.3
> should allow or require RSA-PSS signatures on TLS certificates.
> It would be better to have the debate there instead of here, but I will
> cross-post if anyone has a burning need to share but not join the WG.
> -Rick
> ----------------------------------------------------------------------
> Message: 1
> Date: Tue, 1 Mar 2016 21:20:39 +0200
> From: Yoav Nir <ynir.ietf at gmail.com>
> To: Alyssa Rowan <akr at akr.io>
> Cc: tls at ietf.org
> Subject: Re: [TLS] RSA-PSS in TLS 1.3
> Message-ID: <BBA8149E-114A-49D3-8159-A87ADB545482 at gmail.com>
> Content-Type: text/plain; charset=utf-8
> On 1 Mar 2016, at 8:23 PM, Alyssa Rowan <akr at akr.io> wrote:
>>> [YN] It would be cool to ban PKCS#1.5 from certificates, but we are 
>>> not the PKIX working group. Nor are we the CA/Browser forum.
>>> When a CA issues a certificate it has to work with every client and 
>>> server out there, When we use TLS 1.3, the other side supports TLS 
>>> 1.3 as well, so it?s fair to assume that it knows PSS.
>> Perhaps the PKIX working group and CAB/Forum could both use a friendly 
>> reminder not to ignore how perilous using RSA PKCS#1 v1.5 still remains?
> Neither you nor I can post in any of the CA/Browser forum?s lists, because
> neither of us has either a browser or a public CA. 
> There are some people who are active there and are reading this list, so
> they might take such a proposal there. I?m not very optimistic, though.
> While only CAs and browsers are members, they are keenly aware that even the
> public CAs have a wide variety of relying parties, running all sorts of
> software. And it?s much harder to scan clients than it is to scan servers,
> so it?s difficult to say how many clients will not be able to connect to a
> server with a certificate signed with RSA-PSS. Probably far too many for the
> CA/BF to be comfortable deprecating PKCS#1.  
> The PKIX working group has shut down several years ago. The Curdle WG is a
> new working group whose charter includes deprecating obsolete stuff. Perhaps
> they might be interested.
> Yoav 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list