Re: [TLS] Renumbering the new SignatureSchemes

Eric Rescorla <ekr@rtfm.com> Tue, 20 September 2016 16:14 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A676A12B2E9 for <tls@ietfa.amsl.com>; Tue, 20 Sep 2016 09:14:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IUzOYb41Lo_i for <tls@ietfa.amsl.com>; Tue, 20 Sep 2016 09:14:41 -0700 (PDT)
Received: from mail-yw0-x22a.google.com (mail-yw0-x22a.google.com [IPv6:2607:f8b0:4002:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8491712B261 for <tls@ietf.org>; Tue, 20 Sep 2016 09:14:41 -0700 (PDT)
Received: by mail-yw0-x22a.google.com with SMTP id i129so15365832ywb.0 for <tls@ietf.org>; Tue, 20 Sep 2016 09:14:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=OXfmNZbaQ+7O3c/OIKxkADjBUQLuD2IvZznazg0C/wE=; b=ISq/1wUdg7yY4eyOeZ9n/0zzmiMWnqhzavlMhr27ebUMBKOxWH4DbQEANZ05XEHyyg suDYVU08XFGJEEbhmpbHjjf36gxWnXv5A/Y+7duQKmvyS6ER5pc04DOFoa+wX6Aysq2n S2TNWQKyHTbdhGfxepXZNgbFu6/Ew0H8uKkGr8qFLYfP7g32K/rSmCGQ7qgXJLXitCIq jO0AjoaUynvROB8xrCLF2MoJWYpeN3HvkmF8J8tAS/pcRRG841EeUX3bBD9fRt7INv5f KHv5bbA8fXD4H+yIaGmAC319McHArqHA+9UojtaUSjiJceXTxo4XrDB51sRfU5UOdnAU l9Bg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=OXfmNZbaQ+7O3c/OIKxkADjBUQLuD2IvZznazg0C/wE=; b=Zi50GTAot0WRG8sHXIqX637EDhCd8cup1RcwjQ6jArJwvR8R0aSi2FpD14hhJSR8YN Rc6XhB2MoAInNI5cipQBfV7zNCiehXRLIdj4MQXV2VB89iatMY3ifRGxURgUR3Dd9bSs zB/LEhQzv3GHHKqAQi7yKUm8uzEzWI+pF9IcCS0IMooxd7k8k/R387bparfxTueUBk2F lF97cn3UKsJGqsInoQeD7iTdevnXW/RxIRqoa9O3fBzpCtwaQpc4UzFS/AkUkc6yy71Y 01vLlHIWtG2N9q0JS1SkJbgUSv9x8ti+IsaoA+hLaRe0ZAXopxsgG2MRIPJ/fsEjl1Tw tW3Q==
X-Gm-Message-State: AE9vXwPCy03NIcjlonizHSfW/KK+qq5gXvqEzKEKsVtkbuNxaVpyvOpp5TVUc8wZIjt4dRbOXccd4b6HNeMWyg==
X-Received: by 10.129.86.131 with SMTP id k125mr30162007ywb.21.1474388080761; Tue, 20 Sep 2016 09:14:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.160.10 with HTTP; Tue, 20 Sep 2016 09:14:00 -0700 (PDT)
In-Reply-To: <CAF8qwaBpksHy_=csDKmnSU3k5uQDkf2-0dGUsbf1v9h998cK2A@mail.gmail.com>
References: <CAF8qwaAo-MKJvxdpDkb-fyMfLmOpbhif=2Axik3wnr1DPzd5Eg@mail.gmail.com> <20160920153327.GA12381@LK-Perkele-V2.elisa-laajakaista.fi> <CAF8qwaBpksHy_=csDKmnSU3k5uQDkf2-0dGUsbf1v9h998cK2A@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 20 Sep 2016 09:14:00 -0700
Message-ID: <CABcZeBOqiYnhd9d_RQvKucSSSA9=--_e4wKBrBm3SZRzVvR-0g@mail.gmail.com>
To: David Benjamin <davidben@chromium.org>
Content-Type: multipart/alternative; boundary=001a1143312cd0dc8d053cf2b96a
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-4xcDGLYE6lJFiLNlihVqN6ds9w>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Renumbering the new SignatureSchemes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Sep 2016 16:14:43 -0000

This seems like a good change. I'll merge it before -16 unless someone
objects.

On Tue, Sep 20, 2016 at 8:56 AM, David Benjamin <davidben@chromium.org>;
wrote:

> On Tue, Sep 20, 2016 at 11:33 AM Ilari Liusvaara <ilariliusvaara@welho.com>;
> wrote:
>
>> On Tue, Sep 20, 2016 at 03:07:51PM +0000, David Benjamin wrote:
>> > Hi folks,
>> >
>> > I've just uploaded this PR to slightly tweak SignatureScheme numbering:
>> > https://github.com/tlswg/tls13-spec/pull/641
>> >
>> > In principle, we should only have needed to burn values starting with
>> known
>> > HashAlgorithms, but TLS 1.2 said:
>> >
>> >    signature
>> >       This field indicates the signature algorithm that may be used.
>> >       The values indicate anonymous signatures, RSASSA-PKCS1-v1_5
>> >       [PKCS1] and DSA [DSS], and ECDSA [ECDSA], respectively.  The
>> >       "anonymous" value is meaningless in this context but used in
>> >       Section 7.4.3.  It MUST NOT appear in this extension.
>> >
>> > We'd started RSA-PSS along the train to get shipped in Chrome to get
>> early
>> > warning on any interoperability issues. We ran into an implementation
>> which
>> > enforced this MUST NOT. It's a MUST NOT in 1.2, so it seems prudent to
>> > allocate around it and avoid ending in known SignatureAlgorithms. Thus,
>> > rather than only burning {0x00-0x06, *}, we also burn {*, 0x00-0x03}.
>> This
>> > has the added benefit that TLS 1.2 dissector tools don't get confused.
>>
>> Heck, I think one could put the RSA-PSS ones as 0404, 0504 and 0604,
>> as those do have the indicated "prehashes".
>>
>> And one could probably also stick Ed25519/Ed448 in 00xx, as those have
>> no prehash, which is exactly what "hash #0" is about.
>>
>> (Of course, this all is pretty pointless bikeshedding).
>>
>
> The ecdsa_p256_sha256 business means that the old scheme isn't quite
> accurate. And if we are to drop the old scheme, it was intentional on my
> part that RSA-PSS did not look like it, even though it still fit. I think
> that paid off. No one's going to implement Ed25519 for a while, so RSA-PSS
> is our smoke test that this SignatureScheme idea is sane. (Both for interop
> and for making sure removing the hash/sig decomposition in implementations
> internally is sound.)
>
> David
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>