IETF Logo Mail Archive

Re: [TLS] TLS RSA-PSS and various versions of TLS

Yoav Nir <ynir.ietf@gmail.com> Wed, 08 February 2017 20:20 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D25812941C for <tls@ietfa.amsl.com>; Wed, 8 Feb 2017 12:20:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eiuvra4GcHWe for <tls@ietfa.amsl.com>; Wed, 8 Feb 2017 12:20:51 -0800 (PST)
Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE1391295BC for <tls@ietf.org>; Wed, 8 Feb 2017 12:20:50 -0800 (PST)
Received: by mail-wm0-x22d.google.com with SMTP id t18so53029258wmt.0 for <tls@ietf.org>; Wed, 08 Feb 2017 12:20:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=Fr38+tWwolSgNipq0Fum/b8cEYhHlxEMyaHwHjROmZU=; b=puq2poQjW3xbxl3uZV+wfDabvAFZdqGVmM2WKctw6XCjMtmYWsu49lig/cimDSHRB6 bpOukNG27mJE/OMP8sqL0bl7xcBFGp/pOoKEmww/1QU67wWsKn/bU93SU+1wf8wfJAzd Widsl1vespIrbytEao/ccENczxdtBbKO02SQkfNYpcPxOoumgqh6udtVWMuvA9EEATOn IP4CTnquZGPsK1MYEEkS3AZu5a9TBTJGUtrck9PruEl0kGFiSqZhjUHFfPsfWGqdUbxD 0bNI1/ty0l8mDKVdrdjMuSMPH8cXh9cr7EH/nkqI+CKo+Mitstdw8q8jdg1QI0Gg3M+R ZMfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=Fr38+tWwolSgNipq0Fum/b8cEYhHlxEMyaHwHjROmZU=; b=uc7fNkwdoIE1poOElQCEyGn8qaBU9mqZgCYAKtsLznNeHP0fInCnlrbEWZiriXwZa3 aOlhrs6TKN72a1fMK9ng53rPHNO0aDJ9RmybQ1qj60Q9EEyq78Nig609GYRi3mvJ3Vkl 8rpikYacFqapPO32rh9Ii1DXhzyTkGAwxJiYWoJXbh8jyWd6E6TBMfE4KUcDW0J8mqbw HbGILs3/44vlvxzaewoswSYZn1Cdpxkp3HseKeDVvfxLW7kdbr+NNjGuJYJ9xc5peJn/ CUtH467bfjFhTzPX5vPX5I4/UJJI3N5N8SNF9Jd1FMRRl8zh1/oRKIaVIPYvcr0bSeDR IBmA==
X-Gm-Message-State: AMke39k04ZZZDNFTmzYvgX6wNw6+DjIU+bySCHX4GzGSB6Lp8GVn6+Ya0X08AVrIE7J74g==
X-Received: by 10.28.234.66 with SMTP id i63mr19926698wmh.43.1486585249482; Wed, 08 Feb 2017 12:20:49 -0800 (PST)
Received: from [192.168.1.14] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id o81sm5108347wmb.14.2017.02.08.12.20.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Feb 2017 12:20:48 -0800 (PST)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <F7ABE5CE-D75C-447B-A0C0-C083E8647ADD@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_EEA2E3F4-EB7C-4A6A-90A7-D935B9FB55C9"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Wed, 08 Feb 2017 22:20:46 +0200
In-Reply-To: <E521BA5F-4563-44D2-B186-B11B7B214A15@mobileiron.com>
To: Timothy Jackson <tjackson@mobileiron.com>
References: <E521BA5F-4563-44D2-B186-B11B7B214A15@mobileiron.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/4jub4vfJCWs5xgbqgQ0HCUVSuDU>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS RSA-PSS and various versions of TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2017 20:20:54 -0000

> On 8 Feb 2017, at 21:34, Timothy Jackson <tjackson@mobileiron.com> wrote:
> 
> I have a question on RFC5246 (TLS 1.2) and how it’s going to interact with RSASSA-PSS as we roll out TLS 1.3. Does the prohibition against RSASSA-PSS apply only to the signatures that can be used for signing handshakes or does it apply to the entire certificate chain as well? I ask because while I think the latter may have been the intent I have not found anything that indicates the former is not actually what the RFCs require.
> 
> The relevant section of RFC4056 reads:
> 
> 7.4.2 Server Certificate
> …
> Note that there are certificates that use algorithms and/or algorithm
>    combinations that cannot be currently used with TLS.  For example, a
>    certificate with RSASSA-PSS signature key (id-RSASSA-PSS OID in
>    SubjectPublicKeyInfo) cannot be used because TLS defines no
>    corresponding signature algorithm.
> 
> I don’t see anything here that restricts which signatures can be used on the certificates themselves. Is that accurate?

No.  A few paragraphs up:

   If the client provided a "signature_algorithms" extension, then all
   certificates provided by the server MUST be signed by a
   hash/signature algorithm pair that appears in that extension.

And it doesn’t help if the client does not provide the extension.  The extension can restrict from among the set of supported algorithms, Its absence does not allow undefined algorithms.

Yoav

v2.23.0 | Report a Bug | By Email