Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client
Geoffrey Keating <geoffk@geoffk.org> Sat, 05 March 2011 00:23 UTC
Return-Path: <geoffk@geoffk.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 647703A6921 for <tls@core3.amsl.com>; Fri, 4 Mar 2011 16:23:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.499
X-Spam-Level:
X-Spam-Status: No, score=-2.499 tagged_above=-999 required=5 tests=[AWL=-0.500, BAYES_00=-2.599, J_CHICKENPOX_47=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uLaUfQqgM6fa for <tls@core3.amsl.com>; Fri, 4 Mar 2011 16:23:13 -0800 (PST)
Received: from dragaera.releasedominatrix.com (dragaera.releasedominatrix.com [216.129.118.138]) by core3.amsl.com (Postfix) with ESMTP id 944E13A68A9 for <tls@ietf.org>; Fri, 4 Mar 2011 16:23:13 -0800 (PST)
Received: by dragaera.releasedominatrix.com (Postfix, from userid 501) id B26E633D199; Sat, 5 Mar 2011 00:24:19 +0000 (UTC)
Sender: geoffk@localhost.localdomain
To: mrex@sap.com
References: <m2r5amh76n.fsf@localhost.localdomain> <201103042341.p24NfVKj018910@fs4113.wdf.sap.corp>
From: Geoffrey Keating <geoffk@geoffk.org>
Date: Fri, 04 Mar 2011 16:24:19 -0800
In-Reply-To: <201103042341.p24NfVKj018910@fs4113.wdf.sap.corp>
Message-ID: <m2mxlah0ss.fsf@localhost.localdomain>
Lines: 86
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: tls@ietf.org
Subject: Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Mar 2011 00:23:14 -0000
Martin Rex <mrex@sap.com> writes: > Geoffrey Keating wrote: > > > > Martin Rex <mrex@sap.com> writes: > > > > > Michael D'Errico wrote: > > > > > > > > Matt DeMoss wrote: > > > > > I'd encourage consideration of client certificates also. If the client > > > > > has certificate chains for SHA1 and SHA2 or for SHA2 and SHA3, it > > > > > needs a way to choose which chain to send during periods of transition > > > > > where some servers will reject SHA2 and others will reject SHA3. > > > > > > > > Isn't this already in TLS 1.2? When the server requests a client > > > > certificate, the CertificateRequest includes a list of acceptable > > > > signature algorithms. The client can then check each of its > > > > certificate chains to find the best one the server can handle. > > > > > > It is *MUCH* worse than that. > > > > > > TLSv1.2 goes as far as _requiring_ that if the signature_algorithm > > > extension is sent, that the receiver MUST ensure that all certificates > > > in the chain are from the signature_algorithm set. > > > > That's in the server's chain, though, not the client's. For the > > client, the possible certificate algorithms and types are listed in the > > CertificateRequest, not in an extension, and the list is not optional. > > > http://tools.ietf.org/html/rfc5246#section-7.4.4 > > 7.4.4. Certificate Request > > struct { > ClientCertificateType certificate_types<1..2^8-1>; > SignatureAndHashAlgorithm > supported_signature_algorithms<2^16-1>; > DistinguishedName certificate_authorities<0..2^16-1>; > } CertificateRequest; > > supported_signature_algorithms > A list of the hash/signature algorithm pairs that the server is > able to verify, listed in descending order of preference. > > - Any certificates provided by the client MUST be signed using a > hash/signature algorithm pair found in > supported_signature_algorithms. > > > Adding support for sha256WithRsaEncryption in X.509 certs to the PKI > module of an existing implementation of SSLv3 or TLSv1.0 in your > installed base is an almost trivial software change. About a magnitude(!) > less work&testing than implementing rfc-5746 (TLS extension RI). I think you're talking here about the signature_algorithms extension, which is sent by the client to the server, not the CertificateRequest you quoted immediately above, which is sent by the server to the client. The CertificateRequest in TLSv1.1 does not include a supported_signature_algorithms field, so if you're using 1.1 or earlier there's just no way for the server to tell the client which hash algorithm to use if there's a choice. So, the software change required (to support a choice) is to implement TLSv1.2, which is possibly another order of magnitude more complicated than deploying basic TLS extension support. > Even Microsoft managed to design their TLSv1.0 protocol stack in > Microsoft Windows XP in a fashion that it can be used with completely > different cryptoalgorithms (like entirely from the GOST suite) > with the installation of a CryptoCSP. What do they send for certificate_types for GOST? IANA does not seem to have allocated a ClientCertificateType identifier, and the certificate_types field is present even in TLSv1.0. All your other points are good, but most are not relevant to the discussion of client certificates. A point which you didn't quite make, but which is close to one of the points that you did make and which I would have agreed with, is that the CertificateRequest should use OIDs to specify certificate types and algorithms rather than values assigned using IANA registries, and I'd support this for TLS 1.4. However, this is not quite as trivial as it sounds, because you must still consider how this interacts with OpenPGP certificates.
- [TLS] TLSv1.2 with DSA client cert and key size >… Martin Rex
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Wan-Teh Chang
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Martin Rex
- [TLS] TLS v1.2 performance (was Re: TLSv1.2 with … Michael D'Errico
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Nikos Mavrogiannopoulos
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Dr Stephen Henson
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Martin Rex
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Dr Stephen Henson
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Martin Rex
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Kemp, David P.
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Wan-Teh Chang
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Yoav Nir
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Eric Rescorla
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Eric Rescorla
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Eric Rescorla
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Juho Vähä-Herttua
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Marsh Ray
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Juho Vähä-Herttua
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Juho Vähä-Herttua
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Kyle Hamilton
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Matt DeMoss
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Geoffrey Keating
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Geoffrey Keating
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Matt DeMoss
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Geoffrey Keating
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Sean Turner
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Martin Rex