Open MikeBishop opened 8 years ago
For TLS, we decided to allow PKCS#1.5. That was reluctant. Here, we can limit the choice safely, I think. Those people that have to spend extra cycles, or who can't do PSS can fall back to less optimized paths (i.e., multiple connections).
I agree on the safety of the constraint. Where I'm out of my depth is whether PSS needs a different cert or just a different signature algorithm with the same cert.
So there is a different OID for the two algorithms, but ultimately it's just an RSA key, so it can be used with either if you are willing to do so. I believe that this is the intent with PSS in TLS 1.3.
From Andrei:
The bitmap is about the signatures which we support in the PROOF frame, not about how the certificates themselves are signed. Now, whether existing RSA certs can generate RSA-PSS signatures is a question for Crypto folks – I would think that an RSA key can be used for multiple signing schemes, but I could also be wrong. Issue to track confirming.