IETF Logo Mail Archive

Re: [TLS] AD Review of draft-ietf-tls-tls13

Eric Rescorla <ekr@rtfm.com> Mon, 22 May 2017 21:23 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF1631292AE for <tls@ietfa.amsl.com>; Mon, 22 May 2017 14:23:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w0IumlmNvqwk for <tls@ietfa.amsl.com>; Mon, 22 May 2017 14:23:12 -0700 (PDT)
Received: from mail-yb0-x229.google.com (mail-yb0-x229.google.com [IPv6:2607:f8b0:4002:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1E26128DF2 for <tls@ietf.org>; Mon, 22 May 2017 14:23:11 -0700 (PDT)
Received: by mail-yb0-x229.google.com with SMTP id p143so33604669yba.2 for <tls@ietf.org>; Mon, 22 May 2017 14:23:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=0Bk9Z9ZJhDQqWpuJiQ5Yw7YVK88+qCci51+mOE7h67M=; b=oUAjLza6kzjGB1PjlkkIVLlB/b2+Um3Wd/AbmEZdbI8JeTgvOvFns09Unzzp2NG371 sz4cd5jcNAuG+XyNoA5mghC4Uw52psn0wpNEIKghB7j9CCxBHJzbaDsUt4crkBnznCM/ JBEzWyDeHSUQaTOl9a0zsMbVrQivSFTevYxG+/acnJwIYMpmc3Mqs7NqeS8uWRpEK+ar roTc4de7e9zaoWZMpi3snRYqqwIi2fyDgfcNHYgp4TRPB/Mp6lqC+rTIlNi/8eUEvquV NE+9VCcZzXnl0MOYQDl/pJr2suCONSrx4vYSasdOG5BSFaX7i2CQBhKFTV6cWVlPYqol m0fw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=0Bk9Z9ZJhDQqWpuJiQ5Yw7YVK88+qCci51+mOE7h67M=; b=YP/QejQIll+h4qjrUr0QscRnRaKuenGnhMD0HMF0pZx6Dt5HbMHewgCemCvRgfcNO1 teT/Uapy/wvX9FHS4EQblV8SeqJn3VgDqpOCvgEonP4MAwZoH6TaZ5whpUGqIpwUwruT Jym3ek7jSH8+5yXBxQye08nBXx47oHKcSm3LuYLyAdDxNOV1C4JySa/bvl4DA0Wlsq/7 66saW0kOnHd+vNNRrO5aT3jwq7npkfJGKWsOVb06irEHwXACMORCykTPG26Jp5aQbzkw G8XPxTP/sW3btP6svg0XtEzimSaqzMHA5X8ap+fBrgh22DHsvSOmm7x5yqC//+22EQ0F YY/w==
X-Gm-Message-State: AODbwcAto/aqcHb61Rwm3rxXaUC9aVANDSpeR9QmkTXuOG7K1RfrZoqJ PGxftMpLqYycqPwWEQjxH73XG0l4WmzD
X-Received: by 10.37.206.8 with SMTP id x8mr15443493ybe.16.1495488191192; Mon, 22 May 2017 14:23:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.131.150 with HTTP; Mon, 22 May 2017 14:22:30 -0700 (PDT)
In-Reply-To: <20170522210018.GQ10188@localhost>
References: <f262447d-5bd1-68c8-dac6-ad2224733235@akamai.com> <35E448DD-7F74-4563-9707-DFAB66125FAA@dukhovni.org> <89704888-5f4d-0021-74cb-4cea28c773bd@akamai.com> <ac704db142c04e7b8a836df711e9bc7f@usma1ex-dag1mb1.msg.corp.akamai.com> <1A619330-282A-44F0-871B-DF6D15850394@dukhovni.org> <CABcZeBOvRGar9ZLTo=tu+oUxRWtMucwr5Bk1dPY8C1mAa9asTg@mail.gmail.com> <20170522201729.GO10188@localhost> <CABcZeBMx5wbfchzonxQ5E6N2cOSAXSFX5JpEdTQMMaTnoCb7Dg@mail.gmail.com> <20170522204326.GP10188@localhost> <CABcZeBM1SWnganpX_VyDRiVm+ZFSoA6tZpCWX+Ec-D6So6RUGw@mail.gmail.com> <20170522210018.GQ10188@localhost>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 23 May 2017 06:22:30 +0900
Message-ID: <CABcZeBMMfp4DUcNCFUYCCP6B+UQn85bq2LSoumJdywy=0GOq4Q@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Cc: TLS WG <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c190b20672ca00550237ae0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9chI-heBlITkVGf_sbiQzbYorbU>
Subject: Re: [TLS] AD Review of draft-ietf-tls-tls13
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2017 21:23:14 -0000

On Tue, May 23, 2017 at 6:00 AM, Nico Williams <nico@cryptonector.com>
wrote:

> On Tue, May 23, 2017 at 05:49:47AM +0900, Eric Rescorla wrote:
> > On Tue, May 23, 2017 at 5:43 AM, Nico Williams <nico@cryptonector.com>
> > wrote:
> > > On Tue, May 23, 2017 at 05:26:28AM +0900, Eric Rescorla wrote:
> > > > On Tue, May 23, 2017 at 5:17 AM, Nico Williams <
> nico@cryptonector.com>
> > > > wrote:
> > > > > > In any case, I think there are two issues:
> > > > > > 1. Forbid TLS 1.3 implementations from accepting MD5 and SHA-1.
> > > > > > 2. Require a specific failure if the peer presents such a
> > > certificate.
> > > > > >
> > > > > > There was pretty strong consensus to do #1 and I don't support
> > > removing
> > > > > > it. That seems like a pretty modest layering violation. If people
> > > think
> > > > > that
> > > > > > the mandate for this specific alert is too onerous, I could live
> with
> > > > > > removing
> > > > > > that.
> > > > >
> > > > > I don't understand how you can have (1) and not (2).
> > > >
> > > > As Ilari suggests, you could just treat the algorithms as unknown.
> > >
> > > How does that square with (1)?
> > >
> >
> > I don't understand the question. If you treat them as unknown then
> > either your path construction code will route around them or once you
> > try to verify, it will fail.
>
> That *really* seems like a layer violation!
>

As I said, I don't have a problem with it. It's TLS giving instructions to
the PKI subsystem.


> >    Clients SHOULD/MUST NOT accept server certificates, or certificate
> > >    validation paths, where the server certificate or intermediate
> > >    certificates (but not trust anchors) are signed with "weak"
> signature
> > >    algorithms, unless the client is not expecting TLS to strongly
> > >    authenticate the server (e.g., for opportunistic use) or where the
> > >    client has previously learned and cached the server's certificate.
> >
> > I don't think "strongly authenticate" is useful here. I think the
> > requirement is that the RP must not accept these algorithms in any
> > context which would require validating signatures made using them.
>
> Well, I want it to be crystal clear that the "not MD5 and such"
> requirement need not apply to opportunistic TLS usage.


I don't think "opportunistic" is a clearly enough defined category to be
useful
here. Rather, I think the relevant criterion is the one I listed above. If
people
agree, I'd be happy to make that change (and can produce text) because I
think it conforms to the WG consensus.

-Ekr

v2.23.0 | Report a Bug | By Email