Contact emails
davi...@chromium.org, nha...@chromium.org, sva...@chromium.org
Spec
https://tools.ietf.org/html/draft-ietf-tls-tls13-15#section-4.2.2
https://tools.ietf.org/html/rfc3447
(TLS, so W3C TAG review not applicable)
Summary
Among many other changes, TLS 1.3 will revise the signature algorithms mechanism and switch from RSASSA-PKCS1-v1_5 to RSASSA-PSS (also known as RSA-PSS). While our TLS 1.3 implementation is still in progress, we intend to ship the new signature algorithms to our TLS 1.2 implementation early.
Motivation
RSA-PSS has a security proof and avoids a number of problems with the older ad-hoc RSA signature algorithm, so it is used in TLS 1.3 and QUIC. This will make it available to TLS 1.2 as well.
More importantly, this is the first time in the history of TLS that we have added new signature algorithms. Although the protocol allows for new algorithms to be added, unexercised joints tend to rust shut as buggy software is deployed to the ecosystem unnoticed. By shipping this part of TLS 1.3 early, we hope to pave the road for this part of the new protocol. (Or perhaps we will learn of insurmountable ecosystem problems and need to change the protocol.)
Interoperability and Compatibility Risk
RSASSA-PKCS1-v1_5 signatures will still be accepted over TLS 1.2, so correct TLS stacks will continue to work as before. TLS parameters are negotiated, so it is, in theory, safe to add new ones. As noted, in reality, servers may always have unnoticed bugs. We are aware of one affected implementation which was fixed a year ago. Data from scanning a list of top sites suggests the impact should be small enough to overcome (35 hosts out of about 500,000). We will reach out to affected sites and monitor the change as it progresses through Chrome’s release channels.
There is well-established consensus that TLS 1.3 will use RSA-PSS and RSA-PSS itself was specified over 10 years ago, so needing to change things is unlikely. Should that still happen, parameter negotiation means the chances of a server depending on our early deployment is negligible. Such servers would not interoperate with any other client.
Ongoing technical constraints
None. RSA-PSS will be needed for TLS 1.3 anyway, and the new signature algorithm mechanism makes things cleaner than before. This will further simplify our code by removing our version-dependent signature algorithms list.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.
OWP launch tracking bug
Link to entry on the feature dashboard
https://www.chromestatus.com/feature/5748550642171904
Requesting approval to ship?
Yes--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
lgtm2
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
lgtm2
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
LGTM3
lgtm2
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.