Re: [Last-Call] Last Call: <draft-ietf-tls-md5-sha1-deprecate-04.txt> (Deprecating MD5 and SHA-1 signature hashes in TLS 1.2) to Proposed Standard

[mrex@sap.com]

The IESG <iesg-secretary@ietf.org> wrote:
> 
> The IESG has received a request from the Transport Layer Security WG (tls) to
> consider the following document: - 'Deprecating MD5 and SHA-1 signature
> hashes in TLS 1.2'
>
>   <draft-ietf-tls-md5-sha1-deprecate-04.txt> as Proposed Standard
> 
> The IESG plans to make a decision in the next few weeks, and solicits final
> comments on this action. Please send substantive comments to the
> last-call@ietf.org mailing lists by 2020-10-28. Exceptionally, comments may
> be sent to iesg@ietf.org instead. In either case, please retain the beginning
> of the Subject line to allow automated sorting.


The new, backwards-incompatible and interop-fatal behaviour proposed in
section 2 of the current draft must be changed to reflect the updated
rationale from section 6 of the very same document, and to promote
safe and secure interoperability instead of a needless total interop failure.

Requesting interop failure where instead safe and secure interop can
be easily obtained, as the current draft does, would be in serious
violation of section 6 of RFC 2119 about where an imperative MUST
is not allowed for the given situation.



Section 6 of the current draft says:

   6.  Updates to RFC5246

   [RFC5246], The Transport Layer Security (TLS) Protocol Version 1.2,
   suggests that implementations can assume support for MD5 and SHA-1 by
   their peer.  This update changes the suggestion to assume support for
   SHA-256 instead, due to MD5 and SHA-1 being deprecated.

   In Section 7.4.1.4.1: the text should be revised from:

   OLD:

   "Note: this is a change from TLS 1.1 where there are no explicit
   rules, but as a practical matter one can assume that the peer
   supports MD5 and SHA- 1."

   NEW:

   "Note: This is a change from TLS 1.1 where there are no explicit
   rules, but as a practical matter one can assume that the peer
   supports SHA-256."


and therefore the behaviour in section 2 about the "Signature Algorithms"
extension ought to say:

   2.  Signature Algorithms

   Clients MUST NOT include MD5 and SHA-1 in the signature_algorithms
   extension.  If a client does not send a signature_algorithms
   extension, then the server MUST use (sha256,rsa) for
   digitally_signed on the ServerKeyExchange handshake message for
   TLS cipher suites using RSA authentication, and the server MUST use
   (sha256,ecdsa) for TLS cipher suites using ECDSA authentication.

   The server behaviour ought to be consistent for both, receipt of an
   extension-less SSLv3+ ClientHello handshake message, and for a
   backwards-compatible SSL VERSION 2 CLIENT-HELLO (which can not convey
   any TLS extensions) as described in Appendix-E.2 of rfc5246,
   and as permitted in bullet 2 in section 3 of RFC6176.



As desribed in RFC6151, collision attacks on MD5 were appearing in
publications already in 2004, 2005, 2006 & 2007, the TLSv1.2 spec
rfc5246 should have never *NEWLY* added support for (md5,rsa) in
TLSv1.2 digitally_signed.

Similarily, since the sunset date for SHA1-signatures had been
announced by NIST *before* TLSv1.2 (rfc5246) was published,
TLSv1.2 (rfc5246) should have never *NEWLY* added support for
(sha1,rsa) in TLSv1.2 digitally_signed, but have used (sha256,rsa)
from the beginning.  sha256 has been required for the TLSv1.2 PRF
and for HMAC-SHA256 of several cipher suites anyway, so there
was no excuse for not using sha256 in TLSv1.2 digitally_signed
in the first place.


-Martin