View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0009371 | Part 84: UAFX Profiles | Spec | public | 2024-01-25 14:57 | 2025-02-05 01:50 |
| Reporter | Martin Dickopp | Assigned To | Bob Lattimer | ||
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | assigned | Resolution | fixed | ||
| Target Version | 1.00.03 | ||||
| Summary | 0009371: Support RSASAA-PSS in offline engineering descriptor signatures | ||||
| Description | Digital signatures in offline engineering descriptors currently only support the old RSA PKCS#1 v1.5 signature scheme. The more modern RSASAA-PSS scheme should supported in addition to RSA PKCS#1 v1.5. | ||||
| Tags | No tags attached. | ||||
| related to | 0009352 | resolved | Todd Snide | Part 83: UAFX Offline Engineering | Allow RSASSA_PSS padding scheme for Descriptor signatures |
|
|
Added RSASSA_PSS CUs per input from Martin Dickopp - see attached Word doc |
|
|
Added new CUs per Martin Dickopp's direction. |
|
|
Needs further review from Martin (and OE). We want to enforce use of the new algorithm for encoding. To ensure interoperability, decoding needs to support both in case someone used the old algorithm. |
|
|
Message from Martin Dickopp: While PSS is more modern than PKCS#1.5 and the recommended scheme, its usage should not be a strict requirement, in my opinion. Companies may have an existing corporate PKI infrastructure that implements PKCS#1.5, but not PSS, and may want to use it to sign their descriptors. Switching to PSS would be challenging for such companies. Therefore, I think that both PKCS#1.5 and PSS must be accepted when verifying signatures, and both should be allowed for signing, with a preference for PSS if this is an option for the signer. Note that while PKCS#1.5 is broken when used for encryption, it is still considered secure for digital signatures. From a security point of view, both are fine (and both have advantages and disadvantages). |
|
|
Considering Martin's comments, the current fix seems appropriate since both the new PSS and the old PKS are available for signing and verifying. It's just that we may need separate Profiles for these functions. Signing requires PSS or PKS and verifying requires both. The way it is, both need both. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-01-25 14:57 | Martin Dickopp | New Issue | |
| 2024-01-25 15:24 | Emanuel Kolb | Relationship added | related to 0009352 |
| 2024-02-07 15:33 | Greg Majcher | Assigned To | => Bob Lattimer |
| 2024-02-07 15:33 | Greg Majcher | Status | new => assigned |
| 2024-11-20 02:41 | Bob Lattimer | Note Added: 0022082 | |
| 2024-11-20 02:41 | Bob Lattimer | File Added: DRAFT OE RSASAA_PSS 2024-10-01.docx | |
| 2024-11-20 02:42 | Bob Lattimer | Status | assigned => resolved |
| 2024-11-20 02:42 | Bob Lattimer | Resolution | open => fixed |
| 2024-11-20 02:42 | Bob Lattimer | Note Added: 0022083 | |
| 2024-12-18 14:23 | Greg Majcher | Target Version | => 1.00.03 |
| 2024-12-18 14:47 | Greg Majcher | Status | resolved => assigned |
| 2024-12-18 14:47 | Greg Majcher | Note Added: 0022229 | |
| 2025-02-05 01:45 | Bob Lattimer | Note Added: 0022372 | |
| 2025-02-05 01:50 | Bob Lattimer | Note Added: 0022373 |
