Mail regarding draft-ietf-httpbis-message-signatures and PKCS1_v1.5 support. from Hubert Barc on 2023-10-26 (ietf-http-wg@w3.org from October to December 2023)

From: Hubert Barc <hubert.barc@form3.tech>
Date: Thu, 26 Oct 2023 10:19:33 +0000
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <PR3PR04MB730690A1ED5700AC1F96FFFCCBDDA@PR3PR04MB7306.eurprd04.prod.outlook.com>

Hello HTTP Working Group,
RFC in section 3.3.2 lists RSASSA-PKCS1-v1_5 using SHA-256 as an example of signature algorithm that can be used with HTTP message signing:

  *   The following sections contain several common signature algorithms and demonstrate how these cryptographic primitives map to the HTTP_SIGN and HTTP_VERIFY definitions here.


At the same time RFC8017 in section 8. that is being used as reference states:

  *   Two signature schemes with appendix are specified in this document: RSASSA-PSS and RSASSA-PKCS1-v1_5.  Although no attacks are known against RSASSA-PKCS1-v1_5, in the interest of increased robustness, RSASSA-PSS is REQUIRED in new applications.  RSASSA-PKCS1-v1_5 is included only for compatibility with existing applications.


My assumption being that given this RFC is still in draft so it in theory shouldn't yet affect existing implementations, shouldn't the section 3.3.2 be removed as RSASSA-PKCS1-v1_5 is REQUIRED to be replaced with RSASSA-PSS in new applications?

Best Regards
Hubert Barc



Form3 Technology Limited. Registered Office: 16 Great Queen Street, Covent Garden, London, United Kingdom, WC2B 5AH. Registered in England and Wales (registered number 13631478).

Form3 Technology Limited is a wholly-owned subsidiary of Form3 Group Limited, whose registered office is at 16 Great Queen Street, Covent Garden, London, United Kingdom, WC2B 5AH. Registered in England and Wales (registered number 13762564).

Received on Thursday, 26 October 2023 17:15:23 UTC