Re: [TLS] PSS SignatureScheme ordinal choice
Eric Rescorla <ekr@rtfm.com> Sat, 29 October 2016 23:15 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34E7C12940F for <tls@ietfa.amsl.com>; Sat, 29 Oct 2016 16:15:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5xLVvfXMJGum for <tls@ietfa.amsl.com>; Sat, 29 Oct 2016 16:15:46 -0700 (PDT)
Received: from mail-yw0-x232.google.com (mail-yw0-x232.google.com [IPv6:2607:f8b0:4002:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5BA1129409 for <tls@ietf.org>; Sat, 29 Oct 2016 16:15:46 -0700 (PDT)
Received: by mail-yw0-x232.google.com with SMTP id u124so117056046ywg.3 for <tls@ietf.org>; Sat, 29 Oct 2016 16:15:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=xH3aiVnSjpdXcPDdkjtxsszsNCy1ct0RnAbVnM094oY=; b=GH0mag93DMX7iJCan7n0twXkZ+fYyUr/tCUYQaKSBGdOlnpu0mr6Qrvl6z+HvcUjqM h6BpdzFR8SzefkWsnZ7g/cYkvFrXrUvUcP6Ba3WdJT0oOyR0uFpE6wv8DZSksiznQ8db PAUqPNd2l5DrIerTyjX3YYwkrFCFcjOssAtROUYn52wW1HjSVTum2TD8GWR/K0hm+i8g xOEqIzudnzCCcb8JU0T3ze7xeUDv9SFzhTkstb4esS7SjdQiQko2bj5XhTV8IYG+CODx ier+xgasH0JXAqfEBxl0LYrbtdj+tiK2u8m6wKHWOz95Bf7ucKCyTl57XbOHWWBAurGK AYZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=xH3aiVnSjpdXcPDdkjtxsszsNCy1ct0RnAbVnM094oY=; b=CqwK5afWVJkEDyRbi1sPimiNMQeKjZXsuZ9zqghQFgJ7anC1mrhVnepIugTqbljeJc w+xTcmuQwMVZTm0DH/KxIgAlpYlRvBXKdT/pzthabjrPl7sZE/QEL+XRb+I+5e//z3SV Rst1ro/FgDnqQKbJTdIvpwAK9Pum+qkdhpY867SjHG8KpVQPEC00m69Aj4CZWFASe0AY w6OJXcYwjRqB1myLYqdC5vOETbR5jgGgJK7xTDhvB8xljaJ9if0hCxySOuOcJrLtyGap OKKTsjaOp2eLUBaEdqRbx8CCNTwrX1pgPfQ3NdQYu6adt+4Yf/eD91ISrUxIbkLpkpJH /oTg==
X-Gm-Message-State: ABUngvfSyaYsgxgnbOO0Y8CT0U+I15g6a3S6+qTMMjNDiY8FAew6ArZ50RoEnDzejlozSGFN8xv9y81astSFMw==
X-Received: by 10.129.121.206 with SMTP id u197mr17433224ywc.146.1477782945955; Sat, 29 Oct 2016 16:15:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.82.210 with HTTP; Sat, 29 Oct 2016 16:15:05 -0700 (PDT)
In-Reply-To: <CACaGApm0SdKpX1ZnzK_XDTm27EWGAf-y1Vk2aofiSqNp8QyAkA@mail.gmail.com>
References: <CACaGApm0SdKpX1ZnzK_XDTm27EWGAf-y1Vk2aofiSqNp8QyAkA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 29 Oct 2016 16:15:05 -0700
Message-ID: <CABcZeBPN0FmtGNf+ODgJJMu0sCJvm51y_Q-jt46DVvDJyRcX=A@mail.gmail.com>
To: Joseph Birr-Pixton <jpixton@gmail.com>
Content-Type: multipart/alternative; boundary="94eb2c0b0f688cc18b05400927b0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/8LkNqbrIQpdvqTbWU0J1JhbHvv4>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] PSS SignatureScheme ordinal choice
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Oct 2016 23:15:48 -0000
On Sat, Oct 29, 2016 at 2:27 PM, Joseph Birr-Pixton <jpixton@gmail.com> wrote: > Just a quick question. In TLS1.3 we have: > > enum { > rsa_pkcs1_sha1 (0x0201), > rsa_pkcs1_sha256 (0x0401), > rsa_pkcs1_sha384 (0x0501), > rsa_pkcs1_sha512 (0x0601), > ecdsa_secp256r1_sha256 (0x0403), > ecdsa_secp384r1_sha384 (0x0503), > ecdsa_secp521r1_sha512 (0x0603), > (then) > rsa_pss_sha256 (0x0804), > rsa_pss_sha384 (0x0805), > rsa_pss_sha512 (0x0806), > } SignatureScheme; > > This kind of looks like someone was trying to make the > rsa_pss_shasomething ordinals be decodable by a TLS1.2 implementation > given a SignatureAlgorithm reservation for PSS of 8, but got the bytes > the wrong way around. > > Is this an error, or am I missing something subtle? > No, it's not an error. We deliberately allocated code points with (what would be in TLS 1.2) an unknown hash and an unknown signature algorithm. AFAIK it's just coincidence that the second byte matches up with the 1.5 digest algorithms, by virtue of us counting upward. -Ekr > Cheers, > Joe > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] PSS SignatureScheme ordinal choice Joseph Birr-Pixton
- Re: [TLS] PSS SignatureScheme ordinal choice Ilari Liusvaara
- Re: [TLS] PSS SignatureScheme ordinal choice Eric Rescorla