Re: RSA Signature Padding

[Tom Gindin <tgindin@xxxxxxxxxx>]

        Is "we" the right term?  The latest TLS (RFC 5246 section 4.7) 
specifies RSA signatures but does not seem to permit PSS ones.  PKIX at 
least has PSS in RFC 4055.  We could encourage vendors by producing a 
consolidated "algorithms" RFC which deprecates the use of MD2 and MD5 for 
new certificates, while suggesting that any RP vendor supporting 
sha1WithRSAEncryption as a signatureAlgorithm SHOULD also support 
id-RSASSA-PSS.  Are you suggesting that we should also tell people not to 
use sha256WithRSAEncryption, sha384WithRSAEncryption, or 
sha512WithRSAEncryption as signatureAlgorithm values but to use those hash 
algorithms as PSS parameters instead?
        Should such an RFC be targeted for New Year's 2011?

                Tom Gindin




"Santosh Chokhani" <SChokhani@xxxxxxxxxxxx> 
Sent by: owner-ietf-pkix@xxxxxxxxxxxx
06/03/2009 12:58 PM

To
"IETF-pkix" <ietf-pkix@xxxxxxx>
cc

Subject
RSA Signature Padding







I do not know if this is the right forum.

Should we encourage vendors to use RSA PSS as we transition to SHA-256
given the weakness in PKCS 1.5 padding?

Santosh Chokhani
CygnaCom Solutions

"Questioning conventional wisdom is key to innovation"