IETF Logo Mail Archive

Re: [Dcrup] Time For People To Really Stop Using SHA-1 Signatures?

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 14 January 2020 22:26 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14D2B120059 for <dcrup@ietfa.amsl.com>; Tue, 14 Jan 2020 14:26:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CsB6ZzU776Uv for <dcrup@ietfa.amsl.com>; Tue, 14 Jan 2020 14:26:12 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8755120046 for <dcrup@ietf.org>; Tue, 14 Jan 2020 14:26:11 -0800 (PST)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 7A3F839572; Tue, 14 Jan 2020 17:26:10 -0500 (EST)
Date: Tue, 14 Jan 2020 17:26:10 -0500
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dcrup@ietf.org
Message-ID: <20200114222610.GE73491@straasha.imrryr.org>
Reply-To: dcrup@ietf.org
References: <1836468.B6t98xBJ9D@l5580> <5E1DCD20.7070607@isdg.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <5E1DCD20.7070607@isdg.net>
User-Agent: Mutt/1.12.2 (2019-09-21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/l1ko_wW3BDEosf2CgX55iy9AnKo>
Subject: Re: [Dcrup] Time For People To Really Stop Using SHA-1 Signatures?
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2020 22:26:18 -0000

On Tue, Jan 14, 2020 at 09:16:00AM -0500, Hector Santos wrote:

> I read a statement the OpenSSL folks were thinking about removing it.

There are no such plans.  Rather, in some future releases the use of
SHA-1 in digital signatures (whether in X.509, or in TLS handshake
signatures) will probably only work at "security level 0".

The default security level for TLS is level 1 (notionally 80 bits),
which currently admits SHA-1.  When/if SHA-1 is downgraded (not
removed) X.509 certificates using SHA-1 will fail to validate at
level 1, and TLS handshake signatures using SHA1, MD5 or SHA-1||MD5
will not be considered valid.  That effectively rules out TLS 1.0
and TLS 1.1.  So the change would need to made with care, giving
the laggards some time to finally migrate to TLS 1.2.

Non-TLS applications default to level 0 (no floor on algorithm
strength), but can choose a stricter level for certificate verification.

HMAC-SHA1 remains unbroken, and so there are no plans to deprecate
SHA-1 ciphersuites from TLS, but these days you're more likely to
negotiate an AEAD cipher.

> That would be a horrible decision and it just someone's belief, not
> the OpenSSL team because then we really create REAL damage by forcing
> SHA1 signatures fails which are otherwise secured right now.

Let's not fill the void with wild speculation.

> Lets fix the real Rewrite potential problems first before worrying 
> about SHA1.

This isn't an either/or choice, deprecate SHA1 signing, *and* other
issues that warrant attention.

-- 
    Viktor.

v2.23.0 | Report a Bug | By Email