[cabfpub] RSA-PSS in TLS 1.3

Rick Andrews Rick_Andrews at symantec.com
Tue Mar 1 20:52:57 UTC 2016

Peter, no, nothing in the BRs forbids PSS. For all I know there may be CAs issuing certs with PSS signatures. But I don't think anyone has done a survey of browser and server support. 


> On Mar 1, 2016, at 12:49 PM, Peter Bowen <pzb at amzn.com> wrote:
> Rick,
> One clarification related specifically to CA/Browser Forum: 
> I do not see anything in the BRs that requires or forbids RSASSA-PSS.  Is there anything that prevents public CAs from issuing certificates with RSASSA-PSS (e.g RFC 4055/5756) signatures?
> Thanks,
> Peter
>> On Mar 1, 2016, at 12:12 PM, Rick Andrews <rick_andrews at symantec.com> wrote:
>> I'm cross-posting in case others want to participate in this discussion on
>> the IETF TLS Working Group. They're having a debate on whether TLS 1.3
>> should allow or require RSA-PSS signatures on TLS certificates.
>> It would be better to have the debate there instead of here, but I will
>> cross-post if anyone has a burning need to share but not join the WG.
>> -Rick
>> ----------------------------------------------------------------------
>> Message: 1
>> Date: Tue, 1 Mar 2016 21:20:39 +0200
>> From: Yoav Nir <ynir.ietf at gmail.com>
>> To: Alyssa Rowan <akr at akr.io>
>> Cc: tls at ietf.org
>> Subject: Re: [TLS] RSA-PSS in TLS 1.3
>> Message-ID: <BBA8149E-114A-49D3-8159-A87ADB545482 at gmail.com>
>> Content-Type: text/plain; charset=utf-8
>> On 1 Mar 2016, at 8:23 PM, Alyssa Rowan <akr at akr.io> wrote:
>>>> [YN] It would be cool to ban PKCS#1.5 from certificates, but we are 
>>>> not the PKIX working group. Nor are we the CA/Browser forum.
>>>> When a CA issues a certificate it has to work with every client and 
>>>> server out there, When we use TLS 1.3, the other side supports TLS 
>>>> 1.3 as well, so it?s fair to assume that it knows PSS.
>>> Perhaps the PKIX working group and CAB/Forum could both use a friendly 
>>> reminder not to ignore how perilous using RSA PKCS#1 v1.5 still remains?
>> Neither you nor I can post in any of the CA/Browser forum?s lists, because
>> neither of us has either a browser or a public CA. 
>> There are some people who are active there and are reading this list, so
>> they might take such a proposal there. I?m not very optimistic, though.
>> While only CAs and browsers are members, they are keenly aware that even the
>> public CAs have a wide variety of relying parties, running all sorts of
>> software. And it?s much harder to scan clients than it is to scan servers,
>> so it?s difficult to say how many clients will not be able to connect to a
>> server with a certificate signed with RSA-PSS. Probably far too many for the
>> CA/BF to be comfortable deprecating PKCS#1.  
>> The PKIX working group has shut down several years ago. The Curdle WG is a
>> new working group whose charter includes deprecating obsolete stuff. Perhaps
>> they might be interested.
>> Yoav 
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list