IETF Logo Mail Archive

Re: [TLS] Possible TLS 1.3 erratum

Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 20 July 2021 16:17 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E062B3A2876 for <tls@ietfa.amsl.com>; Tue, 20 Jul 2021 09:17:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AbZOWy-QWRVB for <tls@ietfa.amsl.com>; Tue, 20 Jul 2021 09:17:11 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.23.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B701D3A2874 for <tls@ietf.org>; Tue, 20 Jul 2021 09:17:10 -0700 (PDT)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01lp2173.outbound.protection.outlook.com [104.47.71.173]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-76-krC8tPfBMp-1F7Td3Bk3Rg-1; Wed, 21 Jul 2021 02:17:01 +1000
X-MC-Unique: krC8tPfBMp-1F7Td3Bk3Rg-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by SYBPR01MB3257.ausprd01.prod.outlook.com (2603:10c6:10:28::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.28; Tue, 20 Jul 2021 16:16:54 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::98a4:33de:1d06:e141]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::98a4:33de:1d06:e141%4]) with mapi id 15.20.4331.034; Tue, 20 Jul 2021 16:16:54 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Ryan Sleevi <ryan-ietftls@sleevi.com>
CC: Hubert Kario <hkario@redhat.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Possible TLS 1.3 erratum
Thread-Index: AQHXeWfZVoV1kD9i3UmF8KiMIWESdatEADMAgAGM1TeAABZcgIAEloO3gAAWdICAAGeoF4AA/AUAgAA8wIaAABE8gIAAECuP
Date: Tue, 20 Jul 2021 16:16:54 +0000
Message-ID: <SY4PR01MB625129DEF413E9A7AD7AEEEDEEE29@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <SY4PR01MB6251EDB24FCAAEEFF65B5A58EEE19@SY4PR01MB6251.ausprd01.prod.outlook.com> <ed9594be-dbae-4fd8-8971-a601a55b5d9e@redhat.com> <SY4PR01MB6251FA6EACDD9D2991E9C4A1EEE29@SY4PR01MB6251.ausprd01.prod.outlook.com>, <CAErg=HFyv97wHcatguj6zLhi4GOaNQRnJ6yyhx-8DaeaLjYToQ@mail.gmail.com>
In-Reply-To: <CAErg=HFyv97wHcatguj6zLhi4GOaNQRnJ6yyhx-8DaeaLjYToQ@mail.gmail.com>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8aa7536e-f005-45df-b979-08d94b99ca55
x-ms-traffictypediagnostic: SYBPR01MB3257:
x-microsoft-antispam-prvs: <SYBPR01MB325720FF34FA3A2A2C74862DEEE29@SYBPR01MB3257.ausprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: Kc1UNIlqwQ++50x/Pkmdixs5iMNqwtJcPu/10Pm6qNVV1baQvLLl/meIX0zrM9jkVI29D7hmfAXxC9j8nrsqdOFyMYFfQ70gDUPt/5ba0kKeMuLqqEOnKnv95va7x7U5GYs3aFFgUAD+43NWlGstFnd4EgEhaaqh/YVx7S0KBOgFu7+CgsguTAgcRDHLgoQXueS6DIGg/jLJpFRg7NRKpEkT65/+HSlRPd2YP1HvSiP5Iz6Ikn81MKqwVSjn1YYNOPHHP3pM/Hn9tkhBXIaaYDfiJcF7HpfeypbvKoBaDjypU91Wm3gtbCmSVMtUiyhYU20JQQzDIxpdcFQX7aRvdE3I1qWpDqPncZo7a/1uPOzawOAUxzjoB/Sn6YC3UXCYuKrlTrKfFNui5tR3P+Rg2HYxzuVX04SPpcAI2DAh/aXc3wt3kux/LRgobV0WHPJdrwVgmukLC1zzJbgWtY2j1+6ceW6uO8rwOztoch/vAfH3gQEAqos3g9xT9oX+gD+DvsJPGAd7T1cLIv6GfCz5lQvpePBXjhQp/s3z5je53L7YBCveKTbniLKpy5hwae4b9flmJXY9UK+4X/jLXY0NCxCVNszv0pEdiIFKnPy8VJCG/0OhXhRfn4Auh5qyr/N4AwMKOx69NMFVtIjWyV0LVPZCo++eE+pibeEpqG9G6v98rjMolT2d0HnOEZKUhqCIyGCdQEO4k53srpIw0IA6vw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39830400003)(366004)(376002)(346002)(396003)(136003)(83380400001)(76116006)(4326008)(2906002)(7696005)(316002)(52536014)(6916009)(6506007)(66574015)(66476007)(66946007)(66446008)(64756008)(66556008)(786003)(8676002)(8936002)(38100700002)(55016002)(478600001)(26005)(186003)(86362001)(5660300002)(33656002)(122000001)(71200400001)(54906003)(9686003)(38070700004); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: VyTVo6VC+lWZpYaaQ8jy+FvNJA5qPkcQ+NR/AuPu93N/FeSLVeD9ndEnObhURjEabx770VqdWKXT5WURviraDvb03mmqCzNF7x3aLAjC0KuF2I+dOlnDXiNQM7Ey06W6yteF6CrAL3YX0ZTwNsATCCbyLmmXkTdORTf7In/ZlFVoHfP4FsfqnzTkqbHDqF2+KMLdrN9LGKcjwCDu3554MYiH8+mVVJzVlwZO9aQ8+iI8PFZtLIUN50G8bY4+asZj9ZINm9Ie2tSIeo/tJvMHjO6Cde1oZy1H2znZ4s+kQsGTbtB75A35Q0GTW1e/biUMwUUduxctPySJ0KSAOM1KNkHKrwLtBQAluOPl6c7MANWoPmuadOqKE7f4IajXAgqZvChAvafoMbHCcyqZSeB6cw0RYSzBxMe9zF6jhc2SKg4jXFy6Z977hW5XhkOpYxZdjPmGHVhlzPHYr86bOnAedWafr8YcVgPkjsTStsknqzh/fa8n2gd2pVpg3yWLAq8E4+n6U0o3uxurkrTEZ8qqZq3+rstHx9CmydiV5tem2ECWX2qxhq3bfhYeigA1xXYfgnePKPR7fYHfFmUKOm77hFJDBCTCiuj9OLYBjzQiJ/puXOi9RCFM2fzcwapYm66Vg3DExgR0ylp6g9mfq5zGDtQ+uq5BSBN71c+6Cx7DhbipwQEpkAMdJH2BjL2cJdXMPwAw0BXq8AKfw8eN8kq7nxMBIVIxeLt8wHUEatZeY48CLCFmDZnUZpXyZqfynWCYHzzw0boKq8s6EOWjJQUU1Eb6Z/HTNbfcYS+loA3G3ake/S5gPYq0XJwg6uB0uOqKls66pGslV6s1n6JmFmZOMDHk88w2XqklZCBaYtfPAT9N7ZIlz7+d7t6GQ8xuEBBAvdQLU+LF5e8TQJiuJVWcVlS3gXnHjVdgWNntNQfy0FuSr3QD1a25rlcv8HZkDZtq+yxE/Yem4JK1ZnEQPf1tPrmX2p4YjO/W7+v1T45qqwV8DIMPWEh1xi5X5tncqF0DP9DzqLDUyPUbGa9jigQveE2U8r9HE0JJDDKsOrEd8yOOyNkFKjXb6OwgSxqvS2afnF4DLrmfskbzJQcTpUV4+HhDAxWD0Lh05ZAhuDquhuxtH7qkvH2U1E7oL2cuDJo4N+j0LGAQ/P5Yh4jR6AnPu4d/Ohy1+v4fNAKN9z7WMuXMBODWaKfxsR66i33Q+vYDZUHivttNaOsRf55NV4OTXDFru82FcD/7YaQ4zHbmJkHLMAeCwH8sz/Ts6eLxtiIfsxHPZzZXEmioS+HqGG4LnZ1qRDel2RUXESt/adq38vI=
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8aa7536e-f005-45df-b979-08d94b99ca55
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jul 2021 16:16:54.4728 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wPURNCJx+HLqo/c7qYWZeGX1Cz/fr/N654eZ+IckzyQRYo2fnrQnIlFYddNJGg/GD3lQSawncZ7cl/kU6OqOU6WmTI8cL43juJBxQl+GQzQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYBPR01MB3257
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CAU17A13 smtp.mailfrom=pgut001@cs.auckland.ac.nz
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/7gyKr7TSxrjK6mh45vL0hw1o6IE>
Subject: Re: [TLS] Possible TLS 1.3 erratum
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jul 2021 16:17:17 -0000

Ryan Sleevi <ryan-ietftls@sleevi.com> writes:

>For example, the NSS library used by Mozilla has well exceeded a thousand
>lines of code so far.

Is that purely to parse PSS in X.509, or for the overall PSS implementation?
I know PSS is a dog's breakfast of arbitrary parameters and values, but I'm a
bit suspicious of that line count just to to process the 'Parameters'
structure, particularly since it's shared with OAEP so already present if you
support OAEP.

Or are you supporting every single possible corner case and weird option
rather than just { SHA-2, MGF1, SHA-2, $SHA2-blocksize }?

>For browsers like Chrome, used by over a billion users, there are indeed
>practical concerns regarding the separation between the TLS layers and the
>certificate layer. The "classic" late-90s view of "one library to do it all"
>(TLS and PKI) is actually not that common in industry, at least not those
>being used "at internet scale".

And that's exactly the point I'm making, the standard currently encodes low-
level internal details of the PKI implementation into the TLS implementation.
Unless you're using one library to do it all, the TLS layer has no idea what
OID the PKI layer is using to identify an RSA key in a certificate, and so it
has no idea whether it should be saying rsa_pss_rsae or rsa_pss_pss because
the PKI layer just presents a certificate with an RSA key.

All of this is currently hidden by the fact that you can't get PSS-OID certs
from any public CA that I know of so everyone can just hardcode rsa_pss_rsae
everywhere and ignore the issue, but at some point some CA may accidentally
issue a PSS-OID cert and then who knows what'll happen.  

For every single TLS implementation out there.

Peter.

v2.23.0 | Report a Bug | By Email