IETF Logo Mail Archive

Re: [Dcrup] rsa-sha1 proposals

Jim Fenton <fenton@bluepopcorn.net> Tue, 20 June 2017 23:54 UTC

Return-Path: <fenton@bluepopcorn.net>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 990D212952E for <dcrup@ietfa.amsl.com>; Tue, 20 Jun 2017 16:54:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bluepopcorn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zhpv_ZGbFX8R for <dcrup@ietfa.amsl.com>; Tue, 20 Jun 2017 16:54:00 -0700 (PDT)
Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB9CA129521 for <dcrup@ietf.org>; Tue, 20 Jun 2017 16:54:00 -0700 (PDT)
Received: from splunge.local ([IPv6:2601:647:5500:1330:fd7a:2368:ef63:6afe]) (authenticated bits=0) by v2.bluepopcorn.net (8.14.4/8.14.4/Debian-8+deb8u1) with ESMTP id v5KNrx1v031368 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <dcrup@ietf.org>; Tue, 20 Jun 2017 16:54:00 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bluepopcorn.net; s=supersize; t=1498002840; bh=CrhQ8nvWXFJlWOkVdyQRH47da3WdOcTydg8o9C17ero=; h=Subject:To:References:From:Date:In-Reply-To; b=T7pv/HaEkIn+YybBgtzHDcEv5sapUwCNTAcgNIJvdqFAP4GgeEowwkkixLHweyeJx 0ksDWjPar1WNB43Rj4WQ6H1ipVs0R2VuJqCIrg1RD6WtZMCcBB1Y8Qep6ghuvWdmnz 9311D7TkJOwPUo0zHZKtqm8525docbIUXBTAR9dA=
To: dcrup@ietf.org
References: <20170620230641.18814.qmail@ary.lan> <5949ADA0.3050702@isdg.net> <CAOZAAfNhX0Z+V8Cm=L_mKXKeFQhh7u_gSAFYV65VmsMasL0X6A@mail.gmail.com>
From: Jim Fenton <fenton@bluepopcorn.net>
Message-ID: <66bc2692-7807-9e5c-329d-77c2759d89f1@bluepopcorn.net>
Date: Tue, 20 Jun 2017 16:53:53 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.2.0
MIME-Version: 1.0
In-Reply-To: <CAOZAAfNhX0Z+V8Cm=L_mKXKeFQhh7u_gSAFYV65VmsMasL0X6A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------B27AC2CF688DA28BACD1DCF5"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/PR1A2Ldpa_GAkG0PKOlxHeTeh0Y>
Subject: Re: [Dcrup] rsa-sha1 proposals
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jun 2017 23:54:03 -0000

On 6/20/17 4:38 PM, Seth Blank wrote:
> On Tue, Jun 20, 2017 at 4:20 PM, Hector Santos <hsantos@isdg.net
> <mailto:hsantos@isdg.net>> wrote:
>
>         Back in 2007 RFC 4871 said "In general, sha256 should always
>         be used
>         whenever possible."  I think people have had enough warning,
>         and if we
>         want to kill it, we should just kill it.
>
>
>     Unless whitelisted, this will create invalid SHA1 signatures from
>     perfectly good domains.  New systems who initially avoid SHA1
>     legacy support will quickly learn not all systems use SHA256. i.e
>     a quick support problem.
>
>
> To me, this is exactly the point. People have had ten years to switch
> to SHA-256. At this point, people will only move if the threat of
> breakage is upon them. And this isn't breakage, this is a document
> that says using SHA-1 is no longer acceptable, and you MUST use
> SHA-256. If it's the right security recommendation, we should say it
> explicitly.
The verb "use" isn't precise enough because it doesn't specify whether
it refers to signing or verifying.

I agree that the document should say that signers MUST NOT sign using
SHA-1. Even though SHA-1 hasn't been broken seriously enough to be
exploitable in this application, it's good for us to be out in front of
that.

Several people have said that it doesn't matter whether we say MUST NOT
verify rsa-sha1 or SHOULD NOT verify rsa-sha1. That may very well be
true, but we shouldn't be in the habit of saying MUST NOT for something
that is actively being used and is not currently exploitable. We should
be paying at least lip service to interoperability by saying MUST NOT
sign prior to saying MUST NOT verify.

Any signers that are concerned about downgrade attacks (bad actors
creating valid rsa-sha1 signatures somehow, despite the domain using
rsa-sha256) should put h=sha256 in their key records to close that
possibility.

-Jim

v2.45.0 | Report a Bug | By Email | System Status