<div dir="ltr">I know that there's a general push to move away from RSASSA-PKCS1-v1_5 but is it accurate to say it's unsafe? I see things like this, for example, <a href="https://crypto.stackexchange.com/questions/34558/is-ssl-sign-safe-as-it-is-using-openssl-pkcs1-padding" target="_blank">https://crypto.stackexchange.<wbr>com/questions/34558/is-ssl-<wbr>sign-safe-as-it-is-using-<wbr>openssl-pkcs1-padding</a><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jul 20, 2017 at 10:47 AM, Nat Sakimura via Openid-specs-fapi <span dir="ltr"><<a href="mailto:openid-specs-fapi@lists.openid.net" target="_blank">openid-specs-fapi@lists.openid.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Sascha,<br>
<br>
This came up during the WG calls as well.<br>
<br>
The short answer is that there are several attacks identified for RSASSA-PKCS1-v1_5 while PSS padding is safe. Cryptographer's opinion is that RSASSA-PKCS1-v1_5 should be retired.<br>
<br>
We agreed in the WG call to add RS256 as a permissible algorithm when HSM is used and the HSM in place does not support PS256 or ES256 in the final but has to be done in the way that it does not raise a red flag from the cryptographers. Please see <a href="https://bitbucket.org/openid/fapi/issues/101/jws-signature-algorithms-for-rw" rel="noreferrer" target="_blank">https://bitbucket.org/openid/f<wbr>api/issues/101/jws-signature-a<wbr>lgorithms-for-rw</a>.<br>
<br>
Best,<br>
<br>
---<br>
Nat Sakimura<br>
Research Fellow, Nomura Research Institute<br>
Chairman of the Board, OpenID Foundation<div class="HOEnZb"><div class="h5"><br>
<br>
On 2017-07-20 15:20, Preibisch, Sascha H via Openid-specs-fapi wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi all!<br>
<br>
I just read through the spec. and in section 8.6<br>
(<a href="http://openid.net/specs/openid-financial-api-part-2.html#jws-algorithm-con" rel="noreferrer" target="_blank">http://openid.net/specs/openi<wbr>d-financial-api-part-2.html#<wbr>jws-algorithm-con</a><br>
siderations) we recommend to use PS256 or ES256 as signing algorithms.<br>
<br>
Here<br>
"<a href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#section" rel="noreferrer" target="_blank">https://tools.ietf.org/html/d<wbr>raft-ietf-jose-json-web-algori<wbr>thms-14#section</a><br>
-3.1" PS256 is marked as OPTIONAL.<br>
<br>
I would like to understand why we recommend PS256 rather than RS256, which<br>
is RECOMMENDED and widely used.<br>
<br>
I saw that issue #92 spoke about this topic but I did not really<br>
understood it I believe.<br>
<br>
<br>
Thanks,<br>
Sascha<br>
<br>
<br>
______________________________<wbr>_________________<br>
Openid-specs-fapi mailing list<br>
<a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid<wbr>.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" rel="noreferrer" target="_blank">http://lists.openid.net/mailma<wbr>n/listinfo/openid-specs-fapi</a><br>
</blockquote>
______________________________<wbr>_________________<br>
Openid-specs-fapi mailing list<br>
<a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid<wbr>.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" rel="noreferrer" target="_blank">http://lists.openid.net/mailma<wbr>n/listinfo/openid-specs-fapi</a><br>
</div></div></blockquote></div><br></div>
<br>
<i style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:rgb(255,255,255);font-family:proxima-nova-zendesk,system-ui,-apple-system,system-ui,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;color:rgb(85,85,85)"><span style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"><font size="2">CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i>