Skip to content

Remove requirement to use PSS, consistent with suggestion from DavidBen #1399

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Remove requirement to use PSS, consistent with suggestion from DavidBen #1399

wants to merge 1 commit into from

Conversation

@ekr
Copy link
Contributor

@ekr ekr commented Nov 17, 2025

No description provided.

@ekr ekr force-pushed the remove_pkcs1_requirement branch from 313c8d8 to bfc3ac8 Compare November 17, 2025 15:17
davidben
davidben approved these changes Nov 17, 2025
View reviewed changes
Copy link
Contributor

@davidben davidben left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

For posterity, what this does is make PSS's allowed status implicit from the semantics of the particular SignatureScheme codepoints which are active. For the codepoints defined in this document, the net effect of this PR is a no-op, because the PKCS1 algorithms are already defined as (emphasis mine):

Indicates a signature algorithm using RSASSA-PKCS1-v1_5 [RFC8017] with the corresponding hash algorithm as defined in [SHS]. These values refer solely to signatures which appear in certificates (see Section 4.4.2.2) and are not defined for use in signed TLS handshake messages, although they MAY appear in "signature_algorithms" and "signature_algorithms_cert" for backward compatibility with TLS 1.2.

However, this opens the door for other SignatureSchemes to define other semantics, notably draft-ietf-tls-tls13-pkcs1.

@ekr
Copy link
Contributor Author

ekr commented Nov 17, 2025

Note that this document is with the RPC, so this PR is going to be held pending Auth48

paulwouters
paulwouters suggested changes Nov 17, 2025
View reviewed changes
Copy link

@paulwouters paulwouters left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please note this change of behaviour in the "Relationship to RFC 8446" Section as well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@davidben davidben davidben approved these changes

+3 more reviewers

@paulwouters paulwouters paulwouters requested changes

@OR13 OR13 OR13 approved these changes

@boucadair boucadair boucadair approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ekr @davidben @OR13 @boucadair @paulwouters