citing Marvin attack?

[armfazh]

It's probably worth citing Marvin attack in Section Alternative RSA Encoding Functions

According to [RFC8017], "Although no attacks are known against RSASSA-PKCS#1 v1.5, in the interest of increased robustness, RSA-PSS [RFC8017] is recommended for eventual adoption in new applications."

[FredericJacobs]

Hi @armfazh, Thanks for opening this issue. I wonder what our options are now that we have an RFC. I think we would need to go through the whole process to get an errata issued.

@chris-wood : What do you think? Our last revision precedes the public disclosure of this vulnerability but I don't know what our options are to address this.

[chris-wood]

The only option is errata at this point. That said, doesn't the attack only apply to PKCS#1 v1.5? What would be the reason for citing it in this document?

[jedisct1]

Because we are quoting RFC8017: "Although no attacks are known against RSASSA-PKCS#1 v1.5" [RSA-PSS is recommended]

[chris-wood]

Oh, hah, I see 🤦 an errata is the best way forward then!