RE: RSA: 00: draft-ietf-pkix-rsa-pkalgs-00.txt - binding key to 1 alg

["Kaliski, Burt" <BKaliski@xxxxxxxxxxxxxxx>]

Tom,

Our intent is the encourage the use of a key pair with only one algorithm.
The security analysis for each algorithm assumes a key pair is used with
only the particular algorithm (and with a generally fixed set of underlying
components).  While we are not aware of any "bad" interactions if a key is
used for both RSAES-OAEP and RSASSA-PSS, the security "assurance" may be
reduced because the security analysis is no longer directly applicable.

(If someone were to do the full security analysis for the use of a key pair
with both algorithms, and the result were positive, then there would be
motivation to change this recommendation.)

Similarly, we would not recommend using a key with PKCS1-V1_5 and either of
the newer schemes.

But I understand that to encourage adoption of the new schemes, it may be
necessary to allow a key pair to be used with more than one algorithm in the
interim.

-- Burt

-----Original Message-----
From: Tom Gindin [mailto:tgindin@xxxxxxxxxx]
Sent: Saturday, February 22, 2003 8:15 AM
To: Russ Housley; Kaliski, Burt
Cc: Manger, James H; IETF-PKIX@xxxxxxx
Subject: RE: RSA: 00: draft-ietf-pkix-rsa-pkalgs-00.txt - binding key to
1 alg



      Russ, Burt:

      Is the statement in section 6 of RFC 3447 (PKCS #2 2.1) really
intended to suggest that TLS/SSL servers and S/MIME clients should not be
implemented with single RSA key pairs which use RSA-PSS for signatures and
also use RSA-OAEP for key encipherment?  It seems to cover that case,
although the examples given suggest that using two distinct
signature-capable schemes is undesirable, as is using two distinct
encryption-capable schemes, and so it is wrong to use PKCS1-V1_5 with
either of the newer schemes.

            Tom Gindin