IETF Logo Mail Archive

Re: [TLS] TLS 1.3 draft-07 sneak peek

Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Tue, 07 July 2015 14:54 UTC

Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FDBD1ACD24 for <tls@ietfa.amsl.com>; Tue, 7 Jul 2015 07:54:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.983
X-Spam-Level:
X-Spam-Status: No, score=-4.983 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, HELO_EQ_FR=0.35, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_HI=-5, SPF_SOFTFAIL=0.665] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 78PKNDOr98mJ for <tls@ietfa.amsl.com>; Tue, 7 Jul 2015 07:54:27 -0700 (PDT)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C33AA1ACD22 for <tls@ietf.org>; Tue, 7 Jul 2015 07:54:26 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.15,424,1432591200"; d="scan'208";a="169220268"
Received: from pool-71-161-84-157.cncdnh.east.myfairpoint.net (HELO [192.168.0.100]) ([71.161.84.157]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-SHA; 07 Jul 2015 16:54:15 +0200
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
In-Reply-To: <20150707143431.GA853@LK-Perkele-VII>
Date: Tue, 07 Jul 2015 10:54:09 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <7D0FA086-F797-4B11-B5DE-6D202DEF8001@gmail.com>
References: <CABcZeBOWK_WnHAefsZUBr4UyEkyiZqi1mhoZH8ZeGFftdOqTTw@mail.gmail.com> <201507031907.13872.davemgarrett@gmail.com> <CABcZeBOvNMXESnv1pJRj39sPwsUnR=UW1r0TQK5uJPeuHLa+sg@mail.gmail.com> <201507031925.04809.davemgarrett@gmail.com> <20150707143431.GA853@LK-Perkele-VII>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/3ZDWTNkB_Tf-kKtIRLu8dH_amuY>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 draft-07 sneak peek
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2015 14:54:30 -0000

Putting aside the timeline for retiring SHA-1 from certificates, which will happen
sooner than later, I think we should ban MD5 and SHA1 from client and server 
signatures in TLS 1.3. 

Recent events show that TLS servers get updated too slowly to hope
for graceful deprecation. Using the version change to remove these 
(like we removed RSA encryption and RC4) would be right thing to do

-Karthik

> On 07 Jul 2015, at 10:34, Ilari Liusvaara <ilari.liusvaara@elisanet.fi> wrote:
> 
> On Fri, Jul 03, 2015 at 07:25:04PM -0400, Dave Garrett wrote:
>> On Friday, July 03, 2015 07:13:15 pm Eric Rescorla wrote:
>>> I think we probably need to have WG consensus for the SHA-1 thing.
>> 
>> Yes, that's why I left it out of that changeset. I don't think the
>> topic of what to do in the TLS 1.3 spec with SHA1 has been discussed
>> on this list. (if it has, please point me to the thread if someone
>> can)
>> 
>> The simplest thing would be to have a MUST NOT offer or negotiate
>> in 2017 or later and a NOT RECOMMENDED to use until then. Or, we
>> could go deeper into the weeds and talk about expiration dates.
>> Banning it totally for TLS 1.3+ is also an option, but probably not
>> wanted yet.
> 
> No, the simplest thing would be to ban it entierely:
> - MUST ignore entries with MD5 or SHA1 hash in
>  supported_signature_algorithms, even if those are the only
>  ones (which will cause handshake failure).
> - MUST terminate connection with insufficient_security if MD5 or
>  SHA1 is seen in DigitallySigned.algorithm.
> 
> SHA-1 is known to be seriously broken. That is way more than
> enough reason to completely remove it. Especially from new
> standards.
> 
> 
> If one wants those to also apply to TLS 1.2, plus:
> - MUST send signature_algorithms extension in TLS 1.2+,
>  server MUST terminate connections without it.
> - MUST NOT send MD5 or SHA1 entries in
>  supported_signature_algorithms.
> 
> Effective immeidately for MD5, and in 1.1.2017 for SHA1
> (including signature_algorithms) is separate matter
> (and separate draft).
> 
> 
> 
> -Ilari
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email