Re: [TLS] AD Review of draft-ietf-tls-tls13
Dave Garrett <davemgarrett@gmail.com> Sat, 20 May 2017 01:43 UTC
Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D63881271FD for <tls@ietfa.amsl.com>; Fri, 19 May 2017 18:43:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9GB9851WIQYP for <tls@ietfa.amsl.com>; Fri, 19 May 2017 18:43:23 -0700 (PDT)
Received: from mail-qt0-x22b.google.com (mail-qt0-x22b.google.com [IPv6:2607:f8b0:400d:c0d::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED1411204DA for <tls@ietf.org>; Fri, 19 May 2017 18:43:22 -0700 (PDT)
Received: by mail-qt0-x22b.google.com with SMTP id f55so70529807qta.3 for <tls@ietf.org>; Fri, 19 May 2017 18:43:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:user-agent:references:in-reply-to:mime-version :content-transfer-encoding:message-id; bh=ntgufxNNtnOOsrneKHTFHCvWlyYUu/vW9eZOHtC8czs=; b=vSUFBerljo0ZzjbQKEyvf1M5H2dsx7MdZ1Zw5G+nzipfDZjQJuVbUQlsoZVYk6i6/e /xX3yQ0v6WeEleiymnFlrF86xNV6rVjQzgkOhlOXY/STwrnpPKHyEgTHWaEpZMqfXdFP cVC2NFbxzryo9ux8EfzA6DBHQQ53rw8eqnsPTKaDzeKbbilnxYV/EZc5tmJy2aOpl086 Z5Ncic+WGyhW7J4Xp3HX/yeXltJroJkBBdQD+cXOsboWjVXbZEADOTh5axSuYhYnf3pt 50dnYhoJNQF+qzsGFwE675U/UdY9n3/5VUMMol3FrHS3SqU93CamWu/U/INA1MTRx+B6 mV2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:user-agent:references :in-reply-to:mime-version:content-transfer-encoding:message-id; bh=ntgufxNNtnOOsrneKHTFHCvWlyYUu/vW9eZOHtC8czs=; b=hqyg/Jlu1fXO4PXCdm0QHXYjGOtUZcKEL1WefpRAGkzgDNehuTM2e1H0/KQStTPtof f7yLoC0mFPDjBUsj2cgZlENrR1uaif+u7/AhkStmqJIjTC31/bhzI0DK4gvipnDLKJ/O z8jxq9enDymywk2e/0Q388XJJsOQKPVWHDllWTzUlse1lH41x8IOZ2Bkd5BpxQzTeopS nkIw9HYoNw2vGrxKDHeGGRrbLYexLssz7Ge5OGTDp3yhxD5XhzypBheohGhmamKmUFT1 ziDOLn414kHxg7+JAExc55AqffIZoBEqIuANzWB+3xEIEpWIeThPfLvOQGFQkJY116ww 6w8g==
X-Gm-Message-State: AODbwcD/sVgSbr8iM772dEV1ppiSFHF3UKP8Ad2I8luS4Sj/tO2HcUiL Byy4vJmnu+oYFw==
X-Received: by 10.200.42.252 with SMTP id c57mr12563835qta.282.1495244601750; Fri, 19 May 2017 18:43:21 -0700 (PDT)
Received: from dave-laptop.localnet (pool-71-185-36-197.phlapa.fios.verizon.net. [71.185.36.197]) by smtp.gmail.com with ESMTPSA id y48sm4635673qta.66.2017.05.19.18.43.20 (version=TLS1 cipher=AES128-SHA bits=128/128); Fri, 19 May 2017 18:43:20 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org, Viktor Dukhovni <ietf-dane@dukhovni.org>
Date: Fri, 19 May 2017 21:43:19 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <CAPZZOTgizE2n06V9wEtARFCXB7FP_eikW-K1k67bZG11kNhSAw@mail.gmail.com> <44AED5C2-B21C-442A-8412-9134D1C10BCD@dukhovni.org>
In-Reply-To: <44AED5C2-B21C-442A-8412-9134D1C10BCD@dukhovni.org>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201705192143.19490.davemgarrett@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/27Xli5SVezF5fpoLKaH1K5cK_dY>
Subject: Re: [TLS] AD Review of draft-ietf-tls-tls13
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 May 2017 01:43:25 -0000
On Friday, May 19, 2017 04:51:21 pm Viktor Dukhovni wrote: > Which brings us to some more undesirable layer violation in the current > draft. The language in question is appropriate for updates to RFC5280, > but does not belong in TLS. The problems in question are largely > already addressed elsewhere (as CAs no longer issue MD5, SHA1, ... > certificates, browsers no longer support them, ...) and continue to > be further remediated in the appropriate standards and products. > > Therefore delete: > > Section 4.2.3 (Legacy algorithms paragraph final sentence): > > ... TLS 1.3 servers > MUST NOT offer a SHA-1 signed certificate unless no valid > certificate chain can be produced without it (see > Section 4.4.2.2). > > Section 4.4.2.2: > > ... This fallback chain MAY use the deprecated SHA-1 hash > algorithm only if the "signature_algorithms" extension provided by > the client permits it. If the client cannot construct an acceptable > chain using the provided certificates and decides to abort the > handshake, then it MUST abort the handshake with an > "unsupported_certificate" alert. > > Section 4.4.2.4: > > Any endpoint receiving any certificate signed using any signature > algorithm using an MD5 hash MUST abort the handshake with a > "bad_certificate" alert. SHA-1 is deprecated and it is RECOMMENDED > that any endpoint receiving any certificate signed using any > signature algorithm using a SHA-1 hash abort the handshake with a > "bad_certificate" alert. All endpoints are RECOMMENDED to transition > to SHA-256 or better as soon as possible to maintain interoperability > with implementations currently in the process of phasing out SHA-1 > support. No. I strongly oppose stripping all off this out. > I note that TLS 1.3 does not have any language prohibiting MD2, MDC2DES, > MD4, RIPEMD160, private signature oids, ... that may be weaker than SHA-1 > or even MD5. They're not listed as possible field values anywhere directly in the TLS spec. If someone wants to add a line to one of the "MUST NOT" lists somewhere for all hashes weaker than SHA-1, that sounds fine to me. > Opportunistic unauthenticated TLS ignores the peer certificate and should > not have to fall back to cleartext just because some certificate in the > chain is not sufficiently sexy. There are other legitimate use cases where > the restrictions above are inappropriate. Opportunistic unauthenticated TLS isn't the protocol we're defining here. If your goal isn't authentication, then by all means violate the requirements laid out for authentication. I have no problem making that explicit, if desired, however this is not the primary desired operating mode of TLS. > The reason I am pointing this out is that I just had to waste a bunch of > time convincing the rest of the OpenSSL team to ignore the draft language > in question, and just stick with whatever "security level" (floor on > algorithm strength) the application or default settings requested. This > already excludes MD5 by default, and we'll likely adjust the collision > resistance rating of SHA-1 from 2^80 to its reported ~2^64 strength (from > the recent Google collision announcement), after which SHA-1 will also > be excluded at security level 1. This will be done in the X.509 ala PKIX > code and not the TLS code, and applications that ignore the chain or do > DANE-EE(3), ... will not be affected. > > I propose that the current draft language is just a landmine for TLS > implementations, that addresses a non-problem (or more precisely a > problem that is more properly and well addressed elsewhere). TLS is already a minefield of problems. Enumerating many of them explicitly is a step forward to avoiding them more easily in the future. In a complex system, just fixing something in one place is not enough. If we list it as a possible option in the spec, we should be _very_ clear when it is crap. I'm aware that this is unavoidably messy. Viktor, your input has greatly helped improve the language here to accommodate varying use-cases, and I would personally prefer we work together to make the mess correct, rather than give up and delete the relevant text. Dave
- [TLS] AD Review of draft-ietf-tls-tls13 Kathleen Moriarty
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Eric Rescorla
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Kathleen Moriarty
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Russ Housley
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Viktor Dukhovni
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Eric Rescorla
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Russ Housley
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Kathleen Moriarty
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Eric Rescorla
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Russ Housley
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Kathleen Moriarty
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Viktor Dukhovni
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Kathleen Moriarty
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Eric Rescorla
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Eric Rescorla
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Dave Garrett
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Brian Smith
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Eric Rescorla
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Martin Thomson
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Ilari Liusvaara
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Sankalp Bagaria
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Viktor Dukhovni
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Nico Williams
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Dave Garrett
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Viktor Dukhovni
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Nico Williams
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Viktor Dukhovni
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Ilari Liusvaara
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Nico Williams
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Viktor Dukhovni
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Viktor Dukhovni
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Benjamin Kaduk
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Viktor Dukhovni
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Benjamin Kaduk
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Salz, Rich
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Viktor Dukhovni
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Yoav Nir
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Viktor Dukhovni
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Eric Rescorla
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Nico Williams
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Eric Rescorla
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Nico Williams
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Eric Rescorla
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Nico Williams
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Viktor Dukhovni
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Eric Rescorla
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Eric Rescorla
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Viktor Dukhovni
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Nico Williams
- [TLS] Better weak hash language (was Re: AD Revie… Dave Garrett
- Re: [TLS] Better weak hash language (was Re: AD R… Viktor Dukhovni
- Re: [TLS] Better weak hash language (was Re: AD R… Dave Garrett
- Re: [TLS] Better weak hash language (was Re: AD R… Viktor Dukhovni
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Bill Frantz
- Re: [TLS] AD Review of draft-ietf-tls-tls13 Ilari Liusvaara
- Re: [TLS] Better weak hash language (was Re: AD R… Nico Williams
- [TLS] Standard security levels (was Re: Better we… Nico Williams