Skip to main content

1. Introduction

1. Introduction

TLS 1.3 [RFC8446] removed support for RSASSA-PKCS1-v1_5 [RFC8017] in CertificateVerify messages in favor of RSASSA-PSS. Although RSASSA-PSS is long established, some legacy hardware cryptographic devices do not support it. These devices are uncommon in TLS servers, but TLS clients sometimes use them for client certificates.

Trusted Platform Modules (TPMs), for example, are often used to protect TLS client certificate private keys. Many TPMs cannot produce RSASSA-PSS signatures compatible with TLS 1.3. TPM specifications before 2.0 did not define RSASSA-PSS support, and TPM 2.0 devices can only be relied on for TLS 1.3-compatible salt lengths when they are compatible with US FIPS 186-4.

Deployments that stay on TLS 1.2 leak client certificates to network attackers [PRIVACY] and cannot protect traffic against retroactive decryption by an attacker with a quantum computer [RFC9954]. TLS also negotiates versions before client certificates, so a client and server can negotiate TLS 1.3 only to fail later because the client has a legacy key.

Disabling TLS 1.3 affects connections that are not otherwise impacted, while external fallback mechanisms break TLS's security analysis and can introduce vulnerabilities [POODLE]. This document allocates code points for using these legacy keys with client certificates in TLS 1.3, reducing pressure to choose those mitigations and unblocking TLS 1.3 deployment.