Re: [TLS] Renumbering the new SignatureSchemes
David Benjamin <davidben@chromium.org> Tue, 20 September 2016 18:24 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24F0B12B12E for <tls@ietfa.amsl.com>; Tue, 20 Sep 2016 11:24:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.015
X-Spam-Level:
X-Spam-Status: No, score=-5.015 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-2.316, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T7EDB3kG7UM3 for <tls@ietfa.amsl.com>; Tue, 20 Sep 2016 11:24:54 -0700 (PDT)
Received: from mail-it0-x22c.google.com (mail-it0-x22c.google.com [IPv6:2607:f8b0:4001:c0b::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE12212B14C for <tls@ietf.org>; Tue, 20 Sep 2016 11:24:53 -0700 (PDT)
Received: by mail-it0-x22c.google.com with SMTP id o3so105963655ita.1 for <tls@ietf.org>; Tue, 20 Sep 2016 11:24:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mtqQ9j5/Ec8BPEGXjaLNp8gi6+y6vdKIzkpwQDUKRKA=; b=Z/mXF34apJ+NBudGQxIEDNRC0GMK4h3BFpEerpeV+tWJb2hO/boY6B3U87kGNGd/GC 9Dew8FDEEFITPdQbbv67c057CkbxnUej77JgC6O6UO+x3KyU+UpxcfUQ85pZMrS8G4BT 3osJjq80fZZzEqndkY0JGTa9Gj0fW82LyrPXA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mtqQ9j5/Ec8BPEGXjaLNp8gi6+y6vdKIzkpwQDUKRKA=; b=JoQrvUKVMAgoV3yL1tHJ6aPMR/YMYaN9ZJAn7Ox58BLu09R8uDfbOkJrPI7cwVn0tg micEBxW7hbdMkrblMWIHSGEQ1A1kAoZjMNdMcdRsRbCwVe9hBNtba7uAGqbWPZGi4qK3 os/vtXC6dbSRgP3M1huHDx4XSRWGvvR1txQDn9OYtyHh5iWR8GXIp/hUKAem2AARTOwx HJGwdGfHsldHBcE/PPT04EC+wqkQa1Je4xZTpzg7dDDlLF+2+V5GW1nnEE1RcWXvHTn5 8hmVztaZES8BSEQ9E93bVl8PQH0Q199KyLkGnpjaGsGacjHPJ+SaqEoK/iHpX52qITMY 18EA==
X-Gm-Message-State: AE9vXwMfK9cRp3pLKjSaVnepptrNHLShSPN5ZBbznMVssn9CjnGQmyx0RgwmR28rBtR7/mdVuhVvOZTvjZkSpeFr
X-Received: by 10.36.237.6 with SMTP id r6mr5699198ith.62.1474395893159; Tue, 20 Sep 2016 11:24:53 -0700 (PDT)
MIME-Version: 1.0
References: <CAF8qwaAo-MKJvxdpDkb-fyMfLmOpbhif=2Axik3wnr1DPzd5Eg@mail.gmail.com> <20160920153327.GA12381@LK-Perkele-V2.elisa-laajakaista.fi> <CAF8qwaBpksHy_=csDKmnSU3k5uQDkf2-0dGUsbf1v9h998cK2A@mail.gmail.com> <16571109.7c9qxWjLg8@pintsize.usersys.redhat.com>
In-Reply-To: <16571109.7c9qxWjLg8@pintsize.usersys.redhat.com>
From: David Benjamin <davidben@chromium.org>
Date: Tue, 20 Sep 2016 18:24:42 +0000
Message-ID: <CAF8qwaA_zg1bs2MK=MC7=V5YVdfO5_S7Gz6pyhDSsrAzYrwOkg@mail.gmail.com>
To: Hubert Kario <hkario@redhat.com>, tls@ietf.org
Content-Type: multipart/alternative; boundary="f403045ccb3878b700053cf48baa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/CEzIGO5bNmWh1BdpogNX15ptpg8>
Subject: Re: [TLS] Renumbering the new SignatureSchemes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Sep 2016 18:24:57 -0000
On Tue, Sep 20, 2016 at 2:14 PM Hubert Kario <hkario@redhat.com> wrote: > On Tuesday, 20 September 2016 15:56:01 CEST David Benjamin wrote: > > On Tue, Sep 20, 2016 at 11:33 AM Ilari Liusvaara < > ilariliusvaara@welho.com> > > > > wrote: > > > On Tue, Sep 20, 2016 at 03:07:51PM +0000, David Benjamin wrote: > > > > Hi folks, > > > > > > > > I've just uploaded this PR to slightly tweak SignatureScheme > numbering: > > > > https://github.com/tlswg/tls13-spec/pull/641 > > > > > > > > In principle, we should only have needed to burn values starting with > > > > > > known > > > > > > > HashAlgorithms, but TLS 1.2 said: > > > > signature > > > > > > > > This field indicates the signature algorithm that may be used. > > > > The values indicate anonymous signatures, RSASSA-PKCS1-v1_5 > > > > [PKCS1] and DSA [DSS], and ECDSA [ECDSA], respectively. The > > > > "anonymous" value is meaningless in this context but used in > > > > Section 7.4.3. It MUST NOT appear in this extension. > > > > > > > > We'd started RSA-PSS along the train to get shipped in Chrome to get > > > > > > early > > > > > > > warning on any interoperability issues. We ran into an implementation > > > > > > which > > > > > > > enforced this MUST NOT. It's a MUST NOT in 1.2, so it seems prudent > to > > > > allocate around it and avoid ending in known SignatureAlgorithms. > Thus, > > > > rather than only burning {0x00-0x06, *}, we also burn {*, 0x00-0x03}. > > > > > > This > > > > > > > has the added benefit that TLS 1.2 dissector tools don't get > confused. > > > > > > Heck, I think one could put the RSA-PSS ones as 0404, 0504 and 0604, > > > as those do have the indicated "prehashes". > > > > > > And one could probably also stick Ed25519/Ed448 in 00xx, as those have > > > no prehash, which is exactly what "hash #0" is about. > > > > > > (Of course, this all is pretty pointless bikeshedding). > > > > The ecdsa_p256_sha256 business means that the old scheme isn't quite > > accurate. And if we are to drop the old scheme, it was intentional on my > > part that RSA-PSS did not look like it, even though it still fit. I think > > that paid off. No one's going to implement Ed25519 for a while, so > RSA-PSS > > is our smoke test that this SignatureScheme idea is sane. (Both for > interop > > and for making sure removing the hash/sig decomposition in > implementations > > internally is sound.) > > I'll be running test looking for intolerances like this over the Alexa top > 1 > million next month. > (I've already done this, by the way. It's where the numbers in the version negotiation thread came from.) > For now I have a probe that adds values 0x0003, 0x0004, 0x0700, 0x0703 and > 0x0704 at the end of the list of algorithms. > At the front is probably more realistic. There is even a MUST-level requirement in the current TLS 1.3 spec for SHA-1 sigalgs to be at the end, so the new ones can't be (unless you take SHA-1 out, which is, sadly, unrealistic today... an upsetting number of 1.2 servers only sign SHA-1). I was able to find a few instances of an NSS bug ( https://bugzilla.mozilla.org/show_bug.cgi?id=1119983), but nothing else. The offending implementation for this thread was actually a WebRTC stack (DTLS), not an HTTPS server. We hit it via Chrome's Dev channel. But since this intolerance comes from a MUST-level requirement in TLS 1.2, I think it's prudent to renumber. > Would you suggest doing something more with it? > > (I will be looking for key_share extension intolerance as a whole too) > -- > Regards, > Hubert Kario > Senior Quality Engineer, QE BaseOS Security team > Web: www.cz.redhat.com > Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
- [TLS] Renumbering the new SignatureSchemes David Benjamin
- Re: [TLS] Renumbering the new SignatureSchemes Ilari Liusvaara
- Re: [TLS] Renumbering the new SignatureSchemes David Benjamin
- Re: [TLS] Renumbering the new SignatureSchemes Eric Rescorla
- Re: [TLS] Renumbering the new SignatureSchemes Hubert Kario
- Re: [TLS] Renumbering the new SignatureSchemes David Benjamin
- Re: [TLS] Renumbering the new SignatureSchemes Hubert Kario