Le 2/16/2015 6:15 AM, Brian Smith a écrit :
I want to make a proposal to get PSS support into TLS 1.3 and it would certainly help if I could say that all major TLS libraries support it already.First somebody needs to create a reasonable specification detailing exactly which subset of the PSS specification should be supported for TLS. The current PSS specification allows *way* too much flexibility and also has terrible defaults. I believe Antoine and his team have a good idea of what a reasonable subset of PSS would look like. I recommend working with him to develop such a spec. Without such a spec, I wouldn't support adding PSS support to mozilla::pkix.
We have thought about how to get PSS into TLS 1.3 (both for CertificateVerify signatures and within certificate chains). I am not inclined to believe (after bringing up the issue privately with ekr) that it is possible to make PSS the default RSA algorithm in TLS. Instead, I have suggested [1] to use the (now mandatory) signature_algorithms extension to negotiate the algorithm of the CertificateVerify signatures instead of making it part of the cipher suite name. In this spirit, it seems perfectly adequate to define new OIDs for the PSS(sha256, mgf-sha256, 32) and PSS(sha384, mgf-sha384, 48) algorithms as rsa-pss/sha256 and rsa-pss/sha384 that certification authorities could use to sign certificates (this would unify the semantics of signature algorithm support in TLS and PKIX, and make it independent of the key-exchange related cipher suite negotiation).
Even though ekr appeared willing to implement this change when we discussed it, the TLS working group has mixed feelings about this idea; hence, I haven't tried pushing it further. If there is some willingness from Mozilla and/or Google to back it up, I would be happy to assist with the writing of a specification for it.
As an alternative, it would also be possible to keep the current RSA signatures for CertificateVerify messages and only introduce support for PSS in certificates. However, the CA system evolves slowly (many CAs use HSM that either don't support PKCS#1v2.1 or won't accept mgf-sha256) and without use in TLS itself I have doubt that PSS will see any adoption.
Best, Antoine [1] https://www.ietf.org/mail-archive/web/tls/current/msg14859.html
smime.p7s
Description: Signature cryptographique S/MIME
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
