IETF Logo Mail Archive

Re: [TLS] Adoption call for draft-davidben-tls13-pkcs1

David Benjamin <davidben@chromium.org> Wed, 11 December 2019 17:06 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77BA61200D8 for <tls@ietfa.amsl.com>; Wed, 11 Dec 2019 09:06:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.249
X-Spam-Level:
X-Spam-Status: No, score=-9.249 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yvf2OWSr2mwZ for <tls@ietfa.amsl.com>; Wed, 11 Dec 2019 09:06:36 -0800 (PST)
Received: from mail-pf1-x443.google.com (mail-pf1-x443.google.com [IPv6:2607:f8b0:4864:20::443]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD1F812000F for <tls@ietf.org>; Wed, 11 Dec 2019 09:06:36 -0800 (PST)
Received: by mail-pf1-x443.google.com with SMTP id x185so2105004pfc.5 for <tls@ietf.org>; Wed, 11 Dec 2019 09:06:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DYRqBq3Bbo2n5e5bXEX2tTGpxehO/xetMASaLzhPVIo=; b=AAQkH8yO/e7cu3ZsdJ6DVVZkegzI1hXKS+avA6dj/kBF3jnL0f1NbZlCWee1F/uzn9 fTZtOoqEfRbKOYU0u7bPIljhj8/9yKk/DBMNOxCKzs29KQKiD1mx0/JakYolydwcR7i2 +Hc28w4KAp28/2vW1KnkE5B1wHmD8NJgzDSQU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DYRqBq3Bbo2n5e5bXEX2tTGpxehO/xetMASaLzhPVIo=; b=OfXBX/xIM8fDd5HafEHXs2b6K58yWDB2R+43Qlp4ZUdSWy+qrkR5hCldSpkDlbRTFN 8P4FvWhm7BXxFjKMSrHyZkwazLajI4UIyjxg1Dfe6iTL+509Y1FZ5BaYzmcwthkA6RXH HWfAZa5McQqfKjxqgzrthKlJmMcYese/MUqtFGIVPuGQlt9z2imcNgMOxLpPVp46IHIU G4/2KsiPj6gO9zqJHTHTNX5RujDoa71vvnfgJ7rx+OBzFUC7+Kj4zMQYqZx8G3NthcRo YnS0wT8SUMYNT4KuUlQQJNVFkb9JOFBhaKhO+YGpjoRKCzhJ0PFZRX77IN8sis9AfZtD 667g==
X-Gm-Message-State: APjAAAVZMGyhwD4uTNGekRO2mEJQmMlx2UDwUonvTlxUPE/6Fyd4v3Tz nLTPi4L3KGjKzLlDmDF4o9SYcd9eliG0x/42Nb3UV2PuAQ==
X-Google-Smtp-Source: APXvYqywRKiB+nCGU9FAL5d0EqJ6UGPiYtrqJmZ47aKkPz3azZt60nR1X+KNKbEVm4B6ukzfQjoGoMq6WvdstGFQNf4=
X-Received: by 2002:aa7:8e05:: with SMTP id c5mr4906890pfr.4.1576083995958; Wed, 11 Dec 2019 09:06:35 -0800 (PST)
MIME-Version: 1.0
References: <843cc437-4c6d-43ce-b634-527a287c4e27@www.fastmail.com> <c4bab542-f1fd-4c80-89b8-1b7a3ef883a7@www.fastmail.com> <CAMfhd9W_+1i=Q48GKAxT=TtHm+fKxUKUepqCtfJ7xQ6LgM4h_w@mail.gmail.com> <CAEMoRCshwo1vsb+bYbJLpOCMWGcJ15sz8COXeXbxmX-KDbY8Mw@mail.gmail.com> <20191207102017.GA1754124@LK-Perkele-VII> <8f54acb3-61df-4617-b2c6-53b8c9021575@redhat.com> <20191211142155.GA1879660@LK-Perkele-VII>
In-Reply-To: <20191211142155.GA1879660@LK-Perkele-VII>
From: David Benjamin <davidben@chromium.org>
Date: Wed, 11 Dec 2019 12:06:19 -0500
Message-ID: <CAF8qwaAHXGWwAswv8XfhjhN3fi7XtVSngLJY8sekYgX+u=wXVA@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b77aab059970a6a5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/6zkb9LC9wkEYkxxZaBGIoAgUv-w>
Subject: Re: [TLS] Adoption call for draft-davidben-tls13-pkcs1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Dec 2019 17:06:39 -0000

On Wed, Dec 11, 2019 at 9:22 AM Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Wed, Dec 11, 2019 at 02:21:48PM +0100, Hubert Kario wrote:
> > On Saturday, 7 December 2019 11:20:17 CET, Ilari Liusvaara wrote:
> > >
> > > One test I just tried:
> > >
> > > - Smartcard capable of raw RSA.
> > > - OpenSC PKCS#11 drivers.
> > > - Firefox ESR 68
> > > - Server supports TLS 1.3 (Accept RSA PKCS#1v1.5 client signatures is
> > >   enabled[2]).
> > >
> > > Result: Failed. Client hits internal error code
> SEC_ERROR_LIBRARY_FAILURE
> > > [3].
> >
> > That doesn't match my understanding of how NSS works – AFAIK, NSS (and as
> > such, Firefox), will try both raw RSA and rsa-pss signatures with the
> token,
> > depending on what kind of algorithms the token advertises.
> >
> > I think the issue was the old version of OpenSC, new versions can do
> rsa-pss
> > with rsa-raw:
> > https://bugzilla.redhat.com/show_bug.cgi?id=1595626
> > https://github.com/OpenSC/OpenSC/pull/1435
>
> Ok, upgrading the OpenSC to git master (0.20.0-rc34-2-gee78b0b8) makes
> client certificates in TLS 1.3 in Firefox work with that card (works even
> if accept RSA PKCS#1v1.5 client signatures is disabled on server side).
>
> There is apparently no release with the fix. One needs 0.20-rcX or recent
> git master.
>

Chrome likewise tries to polyfill PSS support out of raw RSA when the
underlying keys support it, but PSS support is still a problem. In
particular, I believe TPM 1.2 can neither do RSA-PSS nor polyfill it with
raw padding. (Oddly, the spec does reference OAEP, but signing is only
PKCS#1 v1.5.) TPM 2.0 can do PSS, but hardware lifecycles are long. Between
the negotiation ordering and the client certificate privacy flaw fixed in
TLS 1.3, simply saying "no TLS 1.3 for those keys" is problematic. Thus,
the draft. It's true that it adds some transitionary codepoints to TLS 1.3,
but the point of TLS 1.3 was not switching to PSS. That's a minor bonus on
top of *much* more important changes.

Most properties negotiated by TLS can be unilaterally updated by the
TLS-related components of a system. This is great because it means we can
deploy TLS 1.3's improvements. The long-term credentials are one of the big
exceptions here and, indeed, we didn't just make TLS 1.3 mandate Ed25519.
We wanted to maintain continuity with existing RSA keys, but since it was
possible to switch them to RSA-PSS we went ahead and did that. Sadly, it
appears that last point can be more true for server keys than client keys.
:-(

David

v2.23.0 | Report a Bug | By Email