IETF Logo Mail Archive

Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client

Nikos Mavrogiannopoulos <nmav@gnutls.org> Sat, 19 February 2011 08:56 UTC

Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8E7363A6E93 for <tls@core3.amsl.com>; Sat, 19 Feb 2011 00:56:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.724
X-Spam-Level:
X-Spam-Status: No, score=-3.724 tagged_above=-999 required=5 tests=[AWL=-0.125, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zANRJdtEkXV1 for <tls@core3.amsl.com>; Sat, 19 Feb 2011 00:56:29 -0800 (PST)
Received: from mail-ew0-f44.google.com (mail-ew0-f44.google.com [209.85.215.44]) by core3.amsl.com (Postfix) with ESMTP id 82D253A6DB5 for <tls@ietf.org>; Sat, 19 Feb 2011 00:56:29 -0800 (PST)
Received: by ewy8 with SMTP id 8so2053589ewy.31 for <tls@ietf.org>; Sat, 19 Feb 2011 00:57:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:message-id:date:from:user-agent :mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=1TJPHZRB90+8IjECAwqBi0wpReDrPoeZVWvmwu8ye58=; b=GaPQvhIHYSMpBU90oGIWgJ5dPZwiWt2wTJUSlu7+MPsdyzRveD1V2t3MAqZH3g2U23 M2y1gKUUhzbkKhkj7dFB+kPqfingEKVjbaFvMhu0POnQfuGCh4NfoAWe6wGrFUxpx4Bz ZICQNdGTkAkKWDsdIGaYEwt5E9DjwxKwxjDQs=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=e+ryp4sJ6pWSPgdk4seIcXny0DBtyfXlItanoxoLInqLnop3GEBFarjyp5jWtbDxQ1 PNXgEbSTrVbH5EBbIi85glw5TyHYAbUJPOG3HGNbzz2C/kcbWkl+Am+SmA9Xqf+eQt8g nfdoD9SpEQj3xn977RNIvFZ7QgZaRzzyqbBe4=
Received: by 10.213.109.199 with SMTP id k7mr2023444ebp.96.1298105824317; Sat, 19 Feb 2011 00:57:04 -0800 (PST)
Received: from [10.100.2.14] (78-23-65-69.access.telenet.be [78.23.65.69]) by mx.google.com with ESMTPS id t5sm2684709eeh.20.2011.02.19.00.57.02 (version=SSLv3 cipher=OTHER); Sat, 19 Feb 2011 00:57:03 -0800 (PST)
Sender: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Message-ID: <4D5F85DE.4040106@gnutls.org>
Date: Sat, 19 Feb 2011 09:57:02 +0100
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101208 Thunderbird/3.1.7
MIME-Version: 1.0
To: Michael D'Errico <mike-list@pobox.com>
References: <201102181928.p1IJSThD006475@fs4113.wdf.sap.corp> <7B07CE79-74A3-4CED-90E9-5910E67E90C7@iki.fi> <4D5F17B1.9030608@pobox.com>
In-Reply-To: <4D5F17B1.9030608@pobox.com>
X-Enigmail-Version: 1.1.2
OpenPGP: id=96865171
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Feb 2011 08:56:30 -0000

On 02/19/2011 02:06 AM, Michael D'Errico wrote:
> The point of the signature_algorithms extension is to permit a graceful
> upgrade of server certificates to using better than SHA-1 hash functions.
> You couldn't just suddenly switch your server cert to one signed with
> RSA/SHA-256 and expect every client to cope.  It would certainly cause
> problems for some.
> To benefit from the extension, you would need to have two concurrent
> server certificates: one signed with RSA/SHA-1, and another signed with
> RSA/SHA-256.  Then based on the signature algorithms presented by the
> client, your TLS code would choose the best one.

It's pretty bad that a single extension is being used for two
distinct use-cases[0]. The use cases are:
* Negotiate which signature algorithms to use for Server Key Exchange,
and Certificate Verify messages.
* Specify the signature algorithms allowed by a certificate sent
by the server.

There is no reason to assume that these are related. The first
use-case applies to the server and client since they are the
ones doing the signing. On this use case a reply to this
extension with the selected algorithm is required to avoid
caching all messages up to the point of signing.

The latter use-case is relevant to the client only, and says,
I don't accept a certificate that is not signed with any
of these algorithms. The server however obtains his
certificate already signed through a 3rd party (a CA), so there
is little to do in the general case.  This use-case does
not require a reply to the extension from the server.

I think that those extensions could be split into two to
account for the different use-cases.

regards,
Nikos

[0]. What if I have a security module doing TLS that
supports only RSA-SHA256 for signatures, but I have
no restriction for the verification of the certificates
since this is done outside of the module?

v2.23.0 | Report a Bug | By Email