Skip to main content

4. Security Considerations

4. Security Considerations

The considerations in Section 1 do not apply to server keys, so these new code points are forbidden for use with server certificates. RSASSA-PSS continues to be required for TLS 1.3 servers that use RSA keys. This keeps the impact limited to cases where these code points are needed to unblock TLS 1.3 deployment.

When implemented incorrectly, RSASSA-PKCS1-v1_5 admits signature forgeries [MFSA201473]. Implementations that produce or verify signatures with these algorithms MUST implement RSASSA-PKCS1-v1_5 as specified in Section 8.2 of [RFC8017]. In particular, clients MUST include the mandatory NULL parameter in the DigestInfo structure and produce valid DER [X690] encoding. Servers MUST reject signatures that do not meet these requirements.