IETF Logo Mail Archive

Re: [TLS] RSASSA-PSS in certificates and "signature_algorithms"

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Wed, 13 September 2017 14:35 UTC

Return-Path: <prvs=04296392e0=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF479133039 for <tls@ietfa.amsl.com>; Wed, 13 Sep 2017 07:35:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Level:
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rBPYofGRK3-O for <tls@ietfa.amsl.com>; Wed, 13 Sep 2017 07:35:27 -0700 (PDT)
Received: from llmx2.ll.mit.edu (LLMX2.LL.MIT.EDU [129.55.12.48]) by ietfa.amsl.com (Postfix) with ESMTP id 9971C1321C7 for <tls@ietf.org>; Wed, 13 Sep 2017 07:35:27 -0700 (PDT)
Received: from LLE2K10-HUB01.mitll.ad.local (LLE2K10-HUB01.mitll.ad.local) by llmx2.ll.mit.edu (unknown) with ESMTP id v8DEZQ4R003212; Wed, 13 Sep 2017 10:35:26 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Hubert Kario <hkario@redhat.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] RSASSA-PSS in certificates and "signature_algorithms"
Thread-Index: AQHTKPY4UhEi4+aSakGFOcW9qXdI/qKwTHOAgAE+SwCAAAg8AIAAGaSAgAAeLAD//76AAIAAS62A///EVICAAVWGAP//+lWA
Date: Wed, 13 Sep 2017 14:35:25 +0000
Message-ID: <FD577598-B505-4266-9B83-ED51BA4F59B7@ll.mit.edu>
References: <20170908225948.GC31695@al> <10457521.MfgfQs1Zne@pintsize.usersys.redhat.com> <C63A6903-6F5E-4975-A160-94312A549D79@ll.mit.edu> <11673774.J8OL2FLGDl@pintsize.usersys.redhat.com>
In-Reply-To: <11673774.J8OL2FLGDl@pintsize.usersys.redhat.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.25.0.170815
x-originating-ip: [172.25.177.12]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3588143725_833612516"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-09-13_04:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1709130226
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/CJaa4s3-rRJTVCAe-2ZumcsCxew>
Subject: Re: [TLS] RSASSA-PSS in certificates and "signature_algorithms"
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Sep 2017 14:35:30 -0000

    > enforcing the default. The default being: 
    > - Hash algorithm the same as specified in Signature Algorithm
    > - MGF1 hash is the same as above
    > - Salt length same as digest length above
    
    No problem with that being recommendation, but I've seen people claiming that 
    some applications don't follow that salt length requirement, so I'd say it 
    would cause unnecessary problems if it was set too strict

I’m sure some apps follow, and some don’t. I’m simply saying that it makes sense for TLS to pick a sensible default (like the above) and stick with it. Other apps may do what they think is best.
     
As for above, in view of the following discussion I think it would be better to replace “Signature Algorithm” above with “subjectPublicKeyInfo.algorithm.parameters.hashAlgorithm”.
I still think that only the necessary minimum of parameters should be passed explicitly.

    I'm talking about subjectPublicKeyInfo field, *not* about signatureAlgorithm 
    field from RFC 3280
 
OK, point taken. Thanks for clarifying.

    and there are clients that advertise only a subset of hashes:
    https://www.ssllabs.com/ssltest/viewClient.html?
    name=Safari&version=6&platform=iOS%206.0.1&key=33
     
Seriously? iOS 6? Why not iOS 5 or 4? I think I still have an iOS 5 device somewhere. ;-)

    > The cryptographic module would perform RSA-PSS *signature* with whatever
    > hashes it can. It won’t bother with *validation*, so this module’s
    > limitations shouldn’t matter.
    
    but it can't perform that signature using hash 
    *that the client didn't advertise*
    
You’re probably right. But for my benefit, could you please outline the scenario how this would/could be used? To make sure I completely understand the use case?

    Now, because the subjectPublicKeyInfo is chosen by the person generating the 
    key (user) and signatureAlgorithm is chosen by the CA, and it is quite common 
    already that e.g. a P-384 CA signs with SHA384 a P-256 intermediate CA that 
    then signs EE with a SHA-256. I really don't think that *all* hashes should be 
    the same.
    
OK, you convinced me here. I missed that. :-(

    > Oh no – I’m eccentric but not quite insane yet. ;-)
    
    well, we do work on ASN.1 stuff... ;)

And I start developing liking of ASN.1. Does it mean it’s time to get my head examined? ;-)

v2.23.0 | Report a Bug | By Email