Re: [saag] AD review of draft-iab-crypto-alg-agility-06

Russ Housley <> Thu, 03 September 2015 20:31 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 15C821B377B for <>; Thu, 3 Sep 2015 13:31:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nW4thuw8OaWZ for <>; Thu, 3 Sep 2015 13:31:31 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 6B8051A8A60 for <>; Thu, 3 Sep 2015 13:31:28 -0700 (PDT)
Received: from localhost (unknown []) by (Postfix) with ESMTP id F23E7F2412B; Thu, 3 Sep 2015 16:31:17 -0400 (EDT)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hFeCvr9kC+Y3; Thu, 3 Sep 2015 16:30:00 -0400 (EDT)
Received: from [] ( []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTP id 12644F24126; Thu, 3 Sep 2015 16:30:57 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: text/plain; charset=us-ascii
From: Russ Housley <>
In-Reply-To: <>
Date: Thu, 3 Sep 2015 16:30:44 -0400
Content-Transfer-Encoding: 7bit
Message-Id: <>
References: <> <> <> <>
To: Eliot Lear <>
X-Mailer: Apple Mail (2.1085)
Archived-At: <>
Subject: Re: [saag] AD review of draft-iab-crypto-alg-agility-06
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 03 Sep 2015 20:31:33 -0000


We are talking about section 2.6...

>>   Without clear mechanisms for algorithm and suite transition,
>>   preserving interoperability becomes a difficult social problem.  For
>>   example, consider web browsers.  Dropping support for an algorithm
>>   suite can break connectivity to some web sites, and the browser
>>   vendor will lose users by doing so.  This situation creates
>>   incentives to support algorithm suites that would otherwise be
>>   deprecated in order to preserve interoperability.
> Honestly this paragraph is confusing.  It's opaque because it's not
> clear whether you're aiming at a strawman of where TLS doesn't support
> agility or the case of long lived root or intermediate certificates.  If
> it's the former, can you find a more current example?  And the last
> sentence is just flat out ambiguous, although in an amusing sort of way
> (who deprecates in order to preserve interoperability?).

Kathleen also had a comment on this part of the document in her IESG ballot.

I'm trying to address both comments with this proposal:

2.6.  Preserving Interoperability

   Cryptographic algorithm deprecation is very difficult.  People do not
   like to introduce interoperability problems, even to preserve
   security.  As a result, flawed algorithms are supported for far too
   long.  The impact of legacy software and long support tails on
   security can be reduced by making it easy to transition from old
   algorithms and suites to new ones.  Social pressure is often needed
   to cause the transition to happen.

   Implementers have been reluctant to remove deprecated algorithms or
   suites from server software, and server administrators have been
   reluctant to diable them over concerns that some party will no longer
   have the ability to connect to their server.  Implementers and
   administrators want to improve security by using the best supported
   algorithms, but their actions are tempered by the desire to preserve
   connectivity.  Recently, some browser vendors have started to provide
   visual warnings when a deprecated algorithm or suite is used.  These
   visual warnings provide a new incentive to transition away from
   deprecated algorithms and suites.

   Transition in Internet infrastructure is particularly difficult.  The
   digital signature on the certificate for an intermediate
   certification authority (CA) [RFC5280] is often expected to last
   decades, which hinders the transition away from a weak signature
   algorithm or short key length.  Once a long-lived certificate is
   issued with a particular signature algorithm, that algorithm will be
   used by many relying parties, and none of them can stop supporting it
   without invalidating all of the subordinate certificates.  In a
   hierarchical system, many subordinate certificates could be impacted
   by the decision to drop support for a weak signature algorithm or an
   associated hash function.

   Institutions, being large or dominant users within a large user base,
   can assist by coordinating the demise of an algorithm suite, making
   the transition easier for their own users as well as others.