Re: [TLS] Possible TLS 1.3 erratum

Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 20 July 2021 14:19 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 273CA3A2455 for <tls@ietfa.amsl.com>; Tue, 20 Jul 2021 07:19:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ssXvbSPQ7Xsz for <tls@ietfa.amsl.com>; Tue, 20 Jul 2021 07:18:55 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [180.189.28.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1007F3A2457 for <tls@ietf.org>; Tue, 20 Jul 2021 07:18:54 -0700 (PDT)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01lp2170.outbound.protection.outlook.com [104.47.71.170]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-73-ErVnAUtINci7DR8EkVZCvA-1; Wed, 21 Jul 2021 00:18:43 +1000
X-MC-Unique: ErVnAUtINci7DR8EkVZCvA-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by SYBPR01MB3481.ausprd01.prod.outlook.com (2603:10c6:10:29::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.22; Tue, 20 Jul 2021 14:18:40 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::98a4:33de:1d06:e141]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::98a4:33de:1d06:e141%4]) with mapi id 15.20.4331.034; Tue, 20 Jul 2021 14:18:39 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Hubert Kario <hkario@redhat.com>
CC: Ilari Liusvaara <ilariliusvaara@welho.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Possible TLS 1.3 erratum
Thread-Index: AQHXeWfZVoV1kD9i3UmF8KiMIWESdatEADMAgAGM1TeAABZcgIAEloO3gAAWdICAAGeoF4AA/AUAgAA8wIY=
Date: Tue, 20 Jul 2021 14:18:38 +0000
Message-ID: <SY4PR01MB6251FA6EACDD9D2991E9C4A1EEE29@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <SY4PR01MB6251EDB24FCAAEEFF65B5A58EEE19@SY4PR01MB6251.ausprd01.prod.outlook.com>, <ed9594be-dbae-4fd8-8971-a601a55b5d9e@redhat.com>
In-Reply-To: <ed9594be-dbae-4fd8-8971-a601a55b5d9e@redhat.com>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9222f4e5-762f-462e-5698-08d94b894540
x-ms-traffictypediagnostic: SYBPR01MB3481:
x-microsoft-antispam-prvs: <SYBPR01MB3481274ED1FA52EE4F067DE7EEE29@SYBPR01MB3481.ausprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: 9JTsqUbvpqYU0Zm1dd/zvSXZabTsWhtj12TBz06gL+VYj7DhzoSy1JKlR/4nc+IzMI87sXVlDPCtkmSxZiKKSjY1ublm2nj13PzCYOj2YvSdIaxAhTSSmPb49EM+MdUeG8Vp6fJEvebTTm/0eIVUJktzJnfzKDlW+C0ACkWrCqo/oTPovXU7hiPGgYyKTEeWKSfbRK19NW78uk3K1qp3t9nAyl3SzrKU6eT23HVqKWKZlQPOhFkIqMn4ZOm+qx5damCEUAAE5Hw84gO/l60LcIRbis0fJ/2W6fX2KOgTiEhTJeKgyi0vwTI1D/WjglgvEw7GZ9NSYmlr16VliHh7n2lunN2w5dGUuwaQCFJw/5yCHnlrNu2VircQC+BUbAxL+daPK5vVnka5eYgcjXHIVVCNg0ryu1hfYqzXLEctVydtOd8fNJZcHHvJqUMOj/VK/xlenB100kkMWRupVa5EB2rzlqN17SOx8DEk4rRM8GaBYVQGbEC8h1hkEgFzB+KaqcPIUi1hu/DNsP/RrsWitKjj34rPghdTG6VzqwwEOl2pNiqf32Sc1FftjGH2H/F4g/rQUtsDcYfMJ7HT3TGOa8QvDWEt8GoUzYbxKQ1NWLlkBsN9v2sk1fKKN0TNMXnZe0RyPqjW6opRQIWZ8R782FIbIIsDo3q7EYdddIDOmXtSaKRamDCaB5oiSf87r1KuG6bHsprkrVcjfUCw2Ri2nA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(136003)(366004)(376002)(39850400004)(396003)(66446008)(76116006)(71200400001)(66476007)(86362001)(66946007)(478600001)(38100700002)(66556008)(122000001)(64756008)(2906002)(5660300002)(26005)(33656002)(52536014)(9686003)(4326008)(7696005)(186003)(55016002)(8936002)(83380400001)(786003)(6916009)(316002)(8676002)(54906003)(6506007)(38070700004); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?Q?PRLo7wDDs3A6yj7YvLF/3759sEIfPw6oJDNtz7Qb67ne2JZ9K+oaXgWv06?= =?iso-8859-1?Q?Gs3EyWArGv21Un3Od2Cfqf7Vd2DhwtXirdL5dVmTEhiIl8Vyy8fsGm/TJM?= =?iso-8859-1?Q?T4xZT1xsqFU/UET4cWCbZy/Zrll2DAFB1V93bwp4g0jxSPt1v6rMkfqqj7?= =?iso-8859-1?Q?M1Vra4vWmfeMN3OmQt2oRYuL3ODJiNSEfglioNkOkGi8ZahEoynRPw7ePA?= =?iso-8859-1?Q?EMDp+WTUs35DPrWrUKEu8ShuNjTNnVPmB/w2kLVTtUmxDlypwHn3UPr9oP?= =?iso-8859-1?Q?TJ8juGKctenjKvWF+oJRvZaISgj1DE6WNITOH/GXK1WWOMbLhuYUkWPG/a?= =?iso-8859-1?Q?AReBPP2z1I4ksK3ChWWDDaqHFDR0vj19OCfnaxjTPcYLf9Z5OWmFTRJTma?= =?iso-8859-1?Q?VKx+Oeu0TutLLJSMQrVAKmykrIi2OR3dSVq42ujxmRQgaYjhsNxrduzzbL?= =?iso-8859-1?Q?M7t1cmIxtWFUApJI9SZatPc+xIZw0H1pBg2WHpaQeZBdtIYTCmMqxdxIgV?= =?iso-8859-1?Q?KYMt7p3Gqrcspcuq+FCYsM4RXjbzION9y80Elj1MK9UyFyx1QWqkZblCc7?= =?iso-8859-1?Q?U6RtP7q0/nCQ8HlnT8LChqQWGUOOSyuw4rMrYJxMVIHBenoCWzxhCTQ8Ni?= =?iso-8859-1?Q?NN83W+W6BIU5sdtvSYxC7J1aAvd5vTsfqDPrvYCtc+oC50BioDfeYtu/zv?= =?iso-8859-1?Q?s6QY6XwCL3vJ+Zad+rzaSERJey+6SDcDPaBT9NF577N1BAiC7H3Seq9Dc8?= =?iso-8859-1?Q?OdL9ABYAu4Xpuv7df8KJzWK52qAvKfg5ilxT+GNR74B5uv9zplUSLD1qMY?= =?iso-8859-1?Q?Y9YB+weeOu2JrIKVFemIwwuTmB6QfDy+WPmp+m2o5kO/yEU+4hmS6e2aMm?= =?iso-8859-1?Q?55BXZTD8c1DOBPoNGWQa8QOlxABglcgqvM2XijMkCJxb8L2KzdvNjSEbzZ?= =?iso-8859-1?Q?ZH7tHDk0xckiExPE591MpWxdquCNbWFdP9gndrUGyYzEayiRpEzrEcqWLH?= =?iso-8859-1?Q?pcjraA28JmtiE/rZEm/bg90+W4ncLah4P/vUHxkhaCFty7q3oEn2GejWha?= =?iso-8859-1?Q?bprPpu1TxZML2CAwj2bJ9s0Rvd0FphIB17y/kjCVTdj7Kv9bloXdvo3JD8?= =?iso-8859-1?Q?9bw2EpdeEeJvvV8jpEKvHTikebEzBsHLaABJObS6o26FAuDBEL5ODQP733?= =?iso-8859-1?Q?9qZI+rHgqGA7XERUDHCXZqXcoQohnvmSbgI7o6MldNti667sMHvfmqp82a?= =?iso-8859-1?Q?eRTnvOvChVFQ46IsCWFEjbQSDJM+H/vnBqRQ9HTOvPJMjJpOl1sSxPjUM5?= =?iso-8859-1?Q?ohweHoalQ2eV2sFWAuFYHktUf+HtfZ3YYuwIWhPUO04R/BY=3D?=
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9222f4e5-762f-462e-5698-08d94b894540
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jul 2021 14:18:38.4315 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ivc69aRaTHulw6t5XSdxblupxhW4bjTP2P3biz8wvmTy2lodEGbPNPC7N1PGEmjJEpJhnFL4SsLvkWA6rdZIYQMM7YhVm1xkzTWA0U1OB0A=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYBPR01MB3481
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/B-MazZs9LV7ELLMH3pWqGTHJB5s>
Subject: Re: [TLS] Possible TLS 1.3 erratum
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jul 2021 14:19:01 -0000

Hubert Kario <hkario@redhat.com> writes:

>I suggest you go back to the RFCs and check exactly what is needed for proper
>handling of RSA-PSS Subject Public Key type in X.509. Specifically when the
>"parameters" field is present.

Looking at the code I'm using, it's four lines of extra code for PSS when
reading sigs and four lines extra when writing (OK, technically seven if you
include the "if" statement and curly braces lines).

>You definitely won't be able to implement it in just "few lines".

See above.

>2. "What certificates can peer accept" is totally within the purview of TLS.

Two things, firstly those values are used in two different extensions, only
one of which covers signatures in certificates, and secondly, what happens if
the client says rsa_pss_pss and the server only has an rsa_pss_rsae
certificate?  Does the server admin rush out and buy an rsa_pss_pss
certificate (or, at the moment, found a new public CA that will issue them an
rsa_pss_pss certificate) just to keep the client happy?  Or are they expected
to go out and buy two lots of every certificate that differ only in the RSA
OID used just to play along with the client's request?  This is exactly the
reason why CMS rejected special-case handling for this stuff, because it
doesn't make any sense.  And now TLS is doing the exact thing that CMS
rejected for not making any sense.

Since the next step in the exchange will be to send the client the
certificate, the only thing it could potentially do is save a single round
trip when the handshake is rejected by the server for lack of an
appropriately-OIDed cert rather than the client when it gets said cert.

Peter.