Re: [TLS] WGLC for draft-ietf-tls-md5-sha1-deprecate
David Benjamin <davidben@chromium.org> Fri, 22 November 2019 02:25 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2156120836 for <tls@ietfa.amsl.com>; Thu, 21 Nov 2019 18:25:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.25
X-Spam-Level:
X-Spam-Status: No, score=-9.25 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5LmioEBsdYAU for <tls@ietfa.amsl.com>; Thu, 21 Nov 2019 18:25:41 -0800 (PST)
Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90CD612012A for <tls@ietf.org>; Thu, 21 Nov 2019 18:25:41 -0800 (PST)
Received: by mail-pl1-x634.google.com with SMTP id s10so2462163plp.2 for <tls@ietf.org>; Thu, 21 Nov 2019 18:25:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=k4F3mgIwBUdJ26SmULZdf0WdEirY0okym6di0ykFUn8=; b=SJab9wHQG2cLKeGln0ZyHjD8jJSXqzawho9XJqMpK3uPfEkRNE1jgO6IL6Mbq5gTmz Jy5JbWiMVZrkxZlWJZw8Nomif1wXwuoqbzKfoBNsBSGWdzPuAmQHRlpal5N5OmVrYh9g 9p2Dyu6xYktARlJ44nRR41gQUA6mBhvcWkFCM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=k4F3mgIwBUdJ26SmULZdf0WdEirY0okym6di0ykFUn8=; b=iiza4PV0C4ewRspnOpPzF/ECjgLi8ZjxyFPwUap+OHXvPk9XNSClfUxWX0KAqtFAev g20Mi8iAZEyYDlwN09gnLtHu31x8M26ta6Au4Z/x/u7wIFm0HrwT6xRZQY8nnD5ho285 8meZSEiErKjAC9EAv5Jr7CU91BzqZVbZgkzKYPKAlLTCEFtK0iqAA0fSuk8dTm+Wpe8m cLt2sjniR1+bEd5YMXBLUag2/ytu52AW04efW7wbkovqqKrG/PJ44+yBpeqQuCh1z7km DpCyMF5CbUVfrxYcOGlaXByo0a2weTAgiiQ7TnZCI3p3OAmdhtcEcmuFqS3uQAYJ3y1X IXgg==
X-Gm-Message-State: APjAAAUytGXoiDHEXOMWMzIIb5kfBk9HWTkIi9kvJQ8iui0uUUERwyk4 DlkgnwaeTcEDsxGIaTsIvdyLMIEkwMzvUdeGTRsp
X-Google-Smtp-Source: APXvYqwvVJ8LX+mpSx4neNFD0eTpAzo1Uf9LCy2ftAEwb//l0YTVn6h73fge7aS7oazkHpJzA5KMe92XctOif7nRn6c=
X-Received: by 2002:a17:90a:974b:: with SMTP id i11mr15578569pjw.47.1574389540717; Thu, 21 Nov 2019 18:25:40 -0800 (PST)
MIME-Version: 1.0
References: <508EEDF7-73D2-4BE6-AFBA-710E5A5AB41F@sn3rd.com> <315F2BCF-11E0-4FBD-8420-865F29A66AD1@akamai.com>
In-Reply-To: <315F2BCF-11E0-4FBD-8420-865F29A66AD1@akamai.com>
From: David Benjamin <davidben@chromium.org>
Date: Fri, 22 Nov 2019 10:25:24 +0800
Message-ID: <CAF8qwaDoLGm+SjPE8T3UaQ0HY_M+EuU=GuWGaxGaPwvqCDKxgQ@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: Sean Turner <sean@sn3rd.com>, TLS List <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005083d30597e6219f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1FGFy4Tx2VmUcau_tzHje3UOGbE>
Subject: Re: [TLS] WGLC for draft-ietf-tls-md5-sha1-deprecate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Nov 2019 02:25:43 -0000
On Fri, Nov 22, 2019 at 8:35 AM Salz, Rich <rsalz@akamai.com> wrote: > > This is the working group last call for the "Deprecating MD5 and > SHA-1 signature hashes in TLS 1.2" draft available > https://datatracker.ietf.org/doc/draft-ietf-tls-md5-sha1-deprecate/. > Please review the document and send your comments to the list by 2359 UTC > on 13 December 2019. > > I just re-read this. Looks good. Perhaps a sentence of rationale in > section 2 and 3 explaining why its SHOULD NOT and not MUST NOT would help > explain things to some? > To that end, the combination of client advice in sections 2 and 4 is a bit odd. Section 2 uses SHOULD NOT include MD5 and SHA-1, but section 4 says the client MUST NOT accept the MD5 SHA-1, even if it included it. Why would the client include it in that case? It seems the two should either both be MUST NOT or both be SHOULD NOT. I think client-sent alerts in section 4 are also wrong. handshake_failure means the sender was unable to negotiate parameters, and insufficient_security is a variant of handshake_failure. This is the client reacting to the server sending something inconsistent with the ClientHello, so it should be illegal_parameter. In the context of ServerKeyExchange signatures, handshake_failure or insufficient_security would be sent by the *server* if the *client* only advertised MD5 and SHA-1. (In principle the client rules in section 4 are redundant with the text in section 2. It's just a restatement of negotiation requirements: your advertisement to the peer should match how you react to the peer's selection. But it's nice to write it explicitly and the document is not very long.) Some additional nitpicks: This document mostly writes "SHA-1", but the introduction has an instance of "SHA1". Section 2 should probably have a "the" before the first occurrence of "signature_algorithms extension". Section 4 includes both server behavior and the client restatement of negotiation requirements above, but section 5 does not include the corresponding server restatement of negotiation requirements. Otherwise, the document looks good to me.
- [TLS] WGLC for draft-ietf-tls-md5-sha1-deprecate Sean Turner
- Re: [TLS] WGLC for draft-ietf-tls-md5-sha1-deprec… Salz, Rich
- Re: [TLS] WGLC for draft-ietf-tls-md5-sha1-deprec… David Benjamin
- Re: [TLS] WGLC for draft-ietf-tls-md5-sha1-deprec… Hubert Kario
- Re: [TLS] WGLC for draft-ietf-tls-md5-sha1-deprec… Hubert Kario
- Re: [TLS] WGLC for draft-ietf-tls-md5-sha1-deprec… Ilari Liusvaara
- Re: [TLS] WGLC for draft-ietf-tls-md5-sha1-deprec… Karthik Bhargavan
- Re: [TLS] WGLC for draft-ietf-tls-md5-sha1-deprec… David Benjamin
- Re: [TLS] WGLC for draft-ietf-tls-md5-sha1-deprec… Sean Turner
- Re: [TLS] WGLC for draft-ietf-tls-md5-sha1-deprec… Russ Housley
- Re: [TLS] WGLC for draft-ietf-tls-md5-sha1-deprec… Kathleen Moriarty
- Re: [TLS] WGLC for draft-ietf-tls-md5-sha1-deprec… Alessandro Ghedini
- Re: [TLS] WGLC for draft-ietf-tls-md5-sha1-deprec… Alessandro Ghedini
- Re: [TLS] WGLC for draft-ietf-tls-md5-sha1-deprec… Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-md5-sha1-deprec… Christopher Wood