IETF Logo Mail Archive

Re: [Iot-directorate] Iotdir last call review of draft-ietf-tls-md5-sha1-deprecate-04

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Thu, 29 October 2020 15:53 UTC

Return-Path: <evyncke@cisco.com>
X-Original-To: iot-directorate@ietfa.amsl.com
Delivered-To: iot-directorate@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20F523A0115 for <iot-directorate@ietfa.amsl.com>; Thu, 29 Oct 2020 08:53:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.601
X-Spam-Level:
X-Spam-Status: No, score=-9.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=L405056a; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=ng/0e0ef
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kJf5S8zPn3NU for <iot-directorate@ietfa.amsl.com>; Thu, 29 Oct 2020 08:52:59 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1FBA3A00D8 for <iot-directorate@ietf.org>; Thu, 29 Oct 2020 08:52:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=17974; q=dns/txt; s=iport; t=1603986779; x=1605196379; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=IYY/WT4X5w3ztg1rxNfxGbquyCLr4BwvUC2QSIiPMtE=; b=L405056avw1hMIgdj88kzipbo5tN0IolBpcj4iJYa3v6Hrj/EKYgk3ry 4hAZKzLax3cn9PVEyuM4G0cOsYvagsfpSPCrqCrg4MdeD4DsuxBHg9CZj 0Z+b50j/bhOQD/aBLMbqKFO+pZr+T9LSUlJ02JGg0vZavyf3L0O/snyId U=;
IronPort-PHdr: 9a23:oy9KBB88YInG5P9uRHGN82YQeigqvan1NQcJ650hzqhDabmn44+7ZhSN6O9sh0TSWoOd4PVB2KLasKHlDGoH55vJ8HUPa4dFWBJNj8IK1xchD8iIBQyeTrbqYiU2Ed4EWApj+He2YkVPGc3lfFrU5Ha16G1aFhD2LwEgIOPzF8bbhNi20Obn/ZrVbk1IiTOxbKk0Ig+xqFDat9Idhs1pLaNixw==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BTCgCm5Jpf/4ENJK1iHgEBCxIMQIMhIy4HcFkvLYQ9g0kDjSMmmHuBQoERA1QLAQEBDQEBGAsKAgQBAYFVgnUCF4FwAiU4EwIDAQELAQEFAQEBAgEGBHGFYQyFcgEBAQEDAQEQEREMAQEsCwELBAIBCBEDAQIDAiYCAgIlCxQBCAgCBA4FIoMEAYJLAy4BDqNtAoE7iGh2gTKDBAEBBYJMgmQYghADBoEOKoJyg3GEDIJLG4FBP4ERJwwQgk0+glwBAYFFAhiDFzOCLJAUEhIzgnSTIpAQgQwKgmyVdoUMAx+DF4oQlD6VQpp9g0ICBAIEBQIOAQEFgWsjN4EgcBU7KgGCPlAXAg2OHwsBARYUgzqFFIVEdDgCBgEJAQEDCXyNTAEB
X-IronPort-AV: E=Sophos;i="5.77,430,1596499200"; d="scan'208";a="575490285"
Received: from alln-core-9.cisco.com ([173.36.13.129]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 29 Oct 2020 15:52:53 +0000
Received: from XCH-RCD-004.cisco.com (xch-rcd-004.cisco.com [173.37.102.14]) by alln-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id 09TFqqOF023331 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 29 Oct 2020 15:52:53 GMT
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by XCH-RCD-004.cisco.com (173.37.102.14) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 29 Oct 2020 10:52:52 -0500
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 29 Oct 2020 10:52:52 -0500
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Thu, 29 Oct 2020 10:52:52 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iKAlWrUu2uEYKmz+MvyWrLsE7t24G8iJIuA/pAO0IClngpG3afJzF/+BjXV5CQ6eiMefNPCCEQYN8OjWHk49Q2qRIxxv/zWUjb8Stc+V2MrNuA32Q4j0DIbc+R1pxG2PJ4NNxbYLq0rTjV3fgKKrph7SdShGnrp1U8RHeS766R7695o8kLBg8EAghOtLu7XyYdXUnnOydw4FWpoDX1CB6oK5FksmzrKin3mHVEhNPGCzPqAYrv/ocKta7ZSbj2EQ2wOeSzi9AIy6iFMxPg6Nr2MH8GPeZyzVyTtxU5VpVPd64MSJz+f6aZOK/719Wp1hxtmS/l967rva5DR/kycwgw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IYY/WT4X5w3ztg1rxNfxGbquyCLr4BwvUC2QSIiPMtE=; b=HQEFF33/CuK0B7BUx8bDgZNWwPchFQJa3IGfVgLsMYPJ/U5jbEN5782vDJIR5j9lkJO2PzdQLT/aQ2ANES7drND1y8F/1uK8Yuha2CjvVX3YWXJMvDvQWQkfQDNHc3Ba7iUo+80F1A8EcN0+Pmg/HOpwcg9Rgy2JN6doG1MOPg+Ktyp+9XcythMTzqYM77VoQNwsZvyFFTQt9FlTYckBJDmd116bjy8wx0n+kpJwa5kuN5ydjG6kFKSYbkeh0zLqXs3g95tW+orUKLOT7zc7UN21sCdBiYAAvviyZy+HkPRCVNT+vQPmimEli1pw2+bs0xxw0Hv3ILaiORVnQKgR1Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IYY/WT4X5w3ztg1rxNfxGbquyCLr4BwvUC2QSIiPMtE=; b=ng/0e0ef1LQAKTqCL5+sBs464UCzO3OZ0vn/SfrGL2V6Y75G2UpDNowQOLmOGxbut/uX/XTQoe2liO+erLnTwBy5TgsV4XPBB1YkRHAp96n5a673MWFP2jPVbBP1qxIrC3XpaeaUgJHZy4VvaMgS57oB6n3Jg9h6Jqsu0+mV1C4=
Received: from PH0PR11MB4966.namprd11.prod.outlook.com (2603:10b6:510:42::21) by PH0PR11MB5160.namprd11.prod.outlook.com (2603:10b6:510:3e::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.18; Thu, 29 Oct 2020 15:52:50 +0000
Received: from PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::453b:b2f5:ec29:410d]) by PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::453b:b2f5:ec29:410d%7]) with mapi id 15.20.3499.028; Thu, 29 Oct 2020 15:52:50 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Daniel Migault <daniel.migault@ericsson.com>
CC: "iot-directorate@ietf.org" <iot-directorate@ietf.org>
Thread-Topic: [Iot-directorate] Iotdir last call review of draft-ietf-tls-md5-sha1-deprecate-04
Thread-Index: AQHWrGxefcPUM/TuBkmpbl82L06PD6muzwWA
Date: Thu, 29 Oct 2020 15:52:50 +0000
Message-ID: <5023F679-EF7B-4575-9999-F7A383C862BD@cisco.com>
References: <160380837029.27888.4435196327617929302@ietfa.amsl.com>
In-Reply-To: <160380837029.27888.4435196327617929302@ietfa.amsl.com>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.42.20101102
authentication-results: ericsson.com; dkim=none (message not signed) header.d=none;ericsson.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2001:420:c0c1:36:edac:66ab:2b5c:852d]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 836d7e01-0a70-474c-0620-08d87c22b08f
x-ms-traffictypediagnostic: PH0PR11MB5160:
x-microsoft-antispam-prvs: <PH0PR11MB51600F622EEE8C3675A40375A9140@PH0PR11MB5160.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: achcoddJNVBSnBgm7/Y92/5CNb9ciElyi71qc/Q4jvQJ2vk6QL9qMsJ86YprTbFexHA8GIt2ljLpEPliI15J2YC/vz7PnjbjvVgqjrenu65DQ1obwFTT7+SmmfP1kVVFM1HYB6TmiAGGGzULj5rftklsU3kM7Sfu7Elbv0Noj/Brfw9DeCwT3AyMkmw1tbjWIHlYi+gprSZ3DLA7/fMKt/fuC5VqH3M9AgA/mGWn5XSPR8asNUDPcCCnqoq32EQq/evk6xf/bS5KQ+VC3SZXwMlWuUYXFxLYwYwKUAriPwMHzH4HvLr+YWhNbSRGn01jkqOh9u1LiYC1IZ+mxCAbUFI7u+D6bJ/lhrTR2RqqzgqacYUH5ANDn2SWcdiHhjeUgWLiJY8v8lJqwjxqd8wTGg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR11MB4966.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(366004)(136003)(396003)(39860400002)(376002)(76116006)(966005)(86362001)(4326008)(186003)(2616005)(36756003)(6486002)(33656002)(71200400001)(66476007)(66556008)(66946007)(91956017)(64756008)(66446008)(8936002)(8676002)(6512007)(66574015)(30864003)(53546011)(6506007)(5660300002)(83380400001)(316002)(2906002)(478600001)(6916009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: R5fQ66O1h4kd9s1vws0YjsMww2byOs2+wXwitzC6P2KWVEAi/PLaMkgnfAfi1RkTOnPCx58roC/VHvoig5jswpwk91jWXjLUF2NHJDHShbNATUgSyT8kmN1+KcuWTI9qQ4mQIBQEub8vMGPSlGCbg3xuiJ1CRkWPETFb4hP7FxD1GvTcavbMulvHqCuxkhJ+A/w5m1pOQmcft6ogIgtq6u/NORYP6l67SjfHYlyirHX6nsz8hCrZP79XMmQdAZj7/MbTHvz32m1NSKnP26THPYea5MTpHb+glcT0NHBrFiiuGiFvRZwKFcxfYNrMlNhK2AGEZQIZ6SNdeynRmPHrm3fOBW9pwaJ7n0rKnD0+IMg0C2JXs37geSwRW0/4jHjKljgSSqJEiVBUCWg54KDZI9XVCeJtnpYmiIAkrnC13qnUKJ7fPKSctTYs2WwVZsmVw07aYVSzBKqjZYngXaYN0Yjk3v5il7jj4ER46roWxS8mOK62GR3u74AhMnTNLced3nc35/M2IoUHcUMTNw9LWSQXCqjPz8t6nveqL7O5vSyeNdW8mM7YiYiM4aTegAq6tvbki5b42VWLtj2D+Hpsni/V+aXhRVShcAffzQZL+MwL7OaiUomFVzF96MMtvVpNARbU0MKTaHUkqKojI/pOmgYvvYMjkfqz2arTFPyXwatX7qDh4OaJypom/CvjGigjM7zICEx+20dQD35xS2XhFA==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <4C658EBC4AE4564BBDA971F0B5DE110A@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4966.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 836d7e01-0a70-474c-0620-08d87c22b08f
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Oct 2020 15:52:50.4904 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: +H0bMc9JdMw6EKPTuiLxj52F5PG0ASj+XUMj23IocLoor2wecjEsYJmc/MjQH2HnGWUHvBqaaN8SbDe+025Zxw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB5160
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.14, xch-rcd-004.cisco.com
X-Outbound-Node: alln-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-directorate/ZnwKlomXPu7dsFIxaYZPmHdYMF8>
Subject: Re: [Iot-directorate] Iotdir last call review of draft-ietf-tls-md5-sha1-deprecate-04
X-BeenThere: iot-directorate@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list for the IoT Directorate Members <iot-directorate.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-directorate>, <mailto:iot-directorate-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-directorate/>
List-Post: <mailto:iot-directorate@ietf.org>
List-Help: <mailto:iot-directorate-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-directorate>, <mailto:iot-directorate-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Oct 2020 15:53:02 -0000

Thank you Daniel

-----Original Message-----
From: Iot-directorate <iot-directorate-bounces@ietf.org> on behalf of Daniel Migault via Datatracker <noreply@ietf.org>
Reply-To: Daniel Migault <daniel.migault@ericsson.com>
Date: Tuesday, 27 October 2020 at 15:20
To: "iot-directorate@ietf.org" <iot-directorate@ietf.org>
Cc: "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-tls-md5-sha1-deprecate.all@ietf.org" <draft-ietf-tls-md5-sha1-deprecate.all@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: [Iot-directorate] Iotdir last call review of draft-ietf-tls-md5-sha1-deprecate-04

    Reviewer: Daniel Migault
    Review result: Ready with Nits

    Hi,


    I reviewed this document as part of the IoT Directorate's ongoing effort to
    review all IETF documents being processed by the IESG.  These comments were
    written primarily for the benefit of the Security Area Directors.  Document
    authors, document editors, and WG chairs should treat these comments just like
    any other IETF Last Call comments.  

    Review Results: Ready with Nits

    Please find my comments below.

    Yours,
    Daniel


             Deprecating MD5 and SHA-1 signature hashes in TLS 1.2
                      draft-ietf-tls-md5-sha1-deprecate-04
    [...]

    1.  Introduction

       The usage of MD5 and SHA-1 for signature hashing in TLS 1.2 is
       specified in [RFC5246].  MD5 and SHA-1 have been proven to be
       insecure, subject to collision attacks [Wang].  In 2011, [RFC6151]
       detailed the security considerations, including collision attacks for
       MD5.  NIST formally deprecated use of SHA-1 in 2011
       [NISTSP800-131A-R2] and disallowed its use for digital signatures at
       the end of 2013, based on both the Wang, et. al, attack and the
       potential for brute-force attack.  In 2016, researchers from INRIA
       identified a new class of transcript collision attacks on TLS (and
       other protocols) that rely on efficient collision-finding algorithms
       on the underlying hash constructions [Transcript-Collision].
       Further, in 2017, researchers from Google and CWI Amsterdam
       [SHA-1-Collision] proved SHA-1 collision attacks were practical.
       This document updates [RFC5246] and [RFC7525] in such a way that MD5
       and SHA-1 MUST NOT be used for digital signatures.  However, this
       document does not deprecate SHA-1 in HMAC for record protection.

    <mglt>
    RFC6194 may be mentioned as a reference for
    not deprecating HMAC-SHA-1 as well as an
    additional reference to [NISTSP800-131A-R2]. 

    Reading the text the situation of HMAC with
    MD5 is unclear. Since we specify that SHA-1
    is not deprecated for HMAC we may specify
    the status for HMAC with MD5. Given RFC6151 I
    hope the reason is that MD5 and HMAC-MD5 has
    already been deprecated but I have not found
    this. Maybe that would worth mentioning it
    is deprecated already.

    </mglt>

    [...]

    2.  Signature Algorithms

       Clients MUST NOT include MD5 and SHA-1 in the signature_algorithms
       extension.  If a client does not send a signature_algorithms
       extension, then the server MUST abort the handshake and send a
       handshake_failure alert, except when digital signatures are not used
       (for example, when using PSK ciphers).

    <mglt>
    It seems to me that the server behavior might
    be defined as well. In our case this could be
    something around the lines the server MUST
    ignore MD5 and SHA1 values in the signature
    algorithm extension. 

    </mglt>

    3.  Certificate Request

       Servers SHOULD NOT include MD5 and SHA-1 in CertificateRequest
       messages.

    <mglt>
    It seems to me that the same level of
    authentication should be provided for both
    peers and that server MUST NOT  include MD5
    or SHA-1.

    A SHOULD NOT status might be welcome for a
    smooth transition. At that time, collision
    for MD5 and SHA1 are known for years. It is likely
    that software that still need MD5 or SHA1 are
    likely to never upgrade, so I doubt a smooth
    path worth being taken. 
    </mglt>

    4.  Server Key Exchange

       Servers MUST NOT include MD5 and SHA-1 in ServerKeyExchange messages.
       If a client receives a MD5 or SHA-1 signature in a ServerKeyExchange
       message it MUST abort the connection with the illegal_parameter
       alert.

    <mglt>
    As per section 2, the client has clearly
    indicated it does not support signature with
    MD5/SHA1, so Server Key Exchange should not
    end up with signature with SHA1/MD5. 

    """
    If the client has offered the "signature_algorithms" extension, the
       signature algorithm and hash algorithm MUST be a pair listed in that
       extension. 
    """

    It also seems to me that the constraint of
    including a MD5 and SHA-1 signature is
    related to the Certificate. I suspect that
    some clarification are needed here.  

    Since the case where the extension becomes
    mandatory, the quoted text above of RFC 5246
    might be updated as well, though this does
    not appear that necessary.

    </mglt>

    5.  Certificate Verify

       Clients MUST NOT include MD5 and SHA-1 in CertificateVerify messages.
       If a server receives a CertificateVerify message with MD5 or SHA-1 it
       MUST abort the connection with handshake_failure or
       insufficient_security alert.


    <mglt>

    6. Certificate 

    Unless I am missing something, it seems to me
    that signature may also be found in the
    Certificate messages for the chain as well in
    the restriction of the signature algorithm.
    The end certificate is associated to the peer
    while other certificate are related to a CA. 

    It seems that client and server behavior may
    be specified. The quoted text below may be
    helpful to clarify. 

    """
     If the client provided a "signature_algorithms" extension, then all
       certificates provided by the server MUST be signed by a
       hash/signature algorithm pair that appears in that extension.
    """

    </mglt>

    6.  Updates to RFC5246

       [RFC5246], The Transport Layer Security (TLS) Protocol Version 1.2,
       suggests that implementations can assume support for MD5 and SHA-1 by
       their peer.  This update changes the suggestion to assume support for
       SHA-256 instead, due to MD5 and SHA-1 being deprecated.

       In Section 7.4.1.4.1: the text should be revised from:

       OLD:

       "Note: this is a change from TLS 1.1 where there are no explicit
       rules, but as a practical matter one can assume that the peer
       supports MD5 and SHA- 1."

       NEW:

       "Note: This is a change from TLS 1.1 where there are no explicit
       rules, but as a practical matter one can assume that the peer
       supports SHA-256."


    <mglt>
    I am reading the Note as an explanation on
    why sha was taken as the default hash
    function with the following rules. 

    """
    If the client does not send the signature_algorithms extension, the
       server MUST do the following:

       -  If the negotiated key exchange algorithm is one of (RSA, DHE_RSA,
          DH_RSA, RSA_PSK, ECDH_RSA, ECDHE_RSA), behave as if client had
          sent the value {sha1,rsa}.

       -  If the negotiated key exchange algorithm is one of (DHE_DSS,
          DH_DSS), behave as if the client had sent the value {sha1,dsa}.

       -  If the negotiated key exchange algorithm is one of (ECDH_ECDSA,
          ECDHE_ECDSA), behave as if the client had sent value {sha1,ecdsa}.
    """

    The current document does not update the
    default hash function from sha to sha256 to
    avoid interoperability issue where one peer
    takes sha while the other one takes sha-256.
    As a results, these rules and the "Note" may
    eventually all together be replaced by your
    text of section 2. 

    The following text may also be removed:

    """
     If the client supports only the default hash and signature algorithms
       (listed in this section), it MAY omit the signature_algorithms
       extension.
    """

    Regarding the Note, it seems to be that the
    removal of support for MD5/SHA1 will result
    in interoperability issues. At this point,
    the issue is due to the obsolescence of the
    implementation as deprecation of SHA1/Md5 has
    started a long time ago. 

    It is unclear to me how normative is
    interpreted "can assume". Was the support of
    MD5/SHA1 a SHOULD or a MUST? In both case, if
    we were willing to maintain interoperability
    between software that only implemented
    MD5/SHA1, we should take a slower path and
    introducing SHA-256 and having were MD5/SHA1
    kept for interoperability purpose before
    being deprecated. I do not think we should
    take that path as implementations that
    currently do not support SHA-256 are unlikely
    to be updated and that deprecation of
    SHA1/MD5 has started a long time ago. 

    I would however mention the issue of
    interoperability in the  section but not in
    the text to update. In the text to update I
    would maybe suggest that the support of
    SHA-256 comes with a normative MUST
    statement. 


    </mglt>

    Velvindron, et al.       Expires April 12, 2021                 [Page 3]
    ?
    Internet-Draft      draft-ietf-tls-md5-sha1-deprecate       October 2020


    7.  Updates to RFC7525

       [RFC7525], Recommendations for Secure Use of Transport Layer Security
       (TLS) and Datagram Transport Layer Security (DTLS) recommends use of
       SHA-256 as a minimum requirement.  This update moves the minimum
       recommendation to use stronger language deprecating use of both SHA-1
       and MD5.  The prior text did not explicitly include MD5 or SHA-1; and
       this text adds guidance to ensure that these algorithms have been
       deprecated..

       Section 4.3:

       OLD:

       When using RSA, servers SHOULD authenticate using certificates with
       at least a 2048-bit modulus for the public key.  In addition, the use
       of the SHA-256 hash algorithm is RECOMMENDED (see [CAB-Baseline] for
       more details).  Clients SHOULD indicate to servers that they request
       SHA-256, by using the "Signature Algorithms" extension defined in TLS
       1.2.

       NEW:

       Servers SHOULD authenticate using certificates with at least a
       2048-bit modulus for the public key.

       In addition, the use of the SHA-256 hash algorithm is RECOMMENDED;
       and SHA-1 or MD5 MUST NOT be used (see [CAB-Baseline] for more
       details).  Clients MUST indicate to servers that they request SHA-
       256, by using the "Signature Algorithms" extension defined in TLS
       1.2.

    <mglt>
    I understand the reason we do specify that
    hash algorithms that MUST NOT been used. This
    is fine in the context of this document, but
    it seems to me that if we were writing the
    updated specification we may have rather
    mentioned a minimum level of security hash
    function needs to be met - in our case
    SHA-256. I leave the co-authors make the
    appropriated choice.   

    </mglt>


    8.  IANA Considerations

       The document updates the "TLS SignatureScheme" registry to change the
       recommended status of SHA-1 based signature schemes to N (not
       recommended) as defined by [RFC8447].  The following entries are to
       be updated:

           +--------+----------------+-------------+-------------------+
           | Value  |  Description   | Recommended |     Reference     |
           +--------+----------------+-------------+-------------------+
           | 0x0201 | rsa_pkcs1_sha1 |      N      | [RFC8446][RFCTBD] |
           | 0x0203 |   ecdsa_sha1   |      N      | [RFC8446][RFCTBD] |
           +--------+----------------+-------------+-------------------+

       Other entries of the resgistry remain the same.


    <mglt>
    It seems to me that TLS 1.2 is using the TLS
    hash and TLS signature registry TLS signature
    registry and TLS 1.3 is using Signature
    Scheme. 

    I suspect that TLS hash values for sha1 and
    md5 should be deprecated. And RFCTBD should
    be added for sha1 and md5. Note that the 
    SHOULD NOT status for CertificateRequest
     may have prevented such deprecation. 

    A side effect is these code points for
    signature scheme that were assigned for
    compatibility with legacy (TLS 1.2)
    signatures must not be used anymore -  if
    there are no more valid with TLS 1.2. 
    </mglt>




    -- 
    Iot-directorate mailing list
    Iot-directorate@ietf.org
    https://www.ietf.org/mailman/listinfo/iot-directorate

v2.23.0 | Report a Bug | By Email